By Christian Chavez, Technical Sales Engineer, INetU
The topic of whether or not companies should move their data and information to the cloud is still an ongoing discussion. While this debate continues, the real question IT decision makers should ask is how can we adequately secure our critical systems, applications, and data?
With so much internal and client information, companies can’t afford to keep that data so close to the hands of hackers. Many security experts believe businesses should always have the mindset of being prepared for security mishaps. That way, the business won’t be in reaction mode, which is often too late to anticipate damages stemming from the loss of data.
The following are a few tips for enterprises to keep their data safe in the cloud:
Know your data. Not only do you need to know what data you are keeping on your servers, but where the data is located. This will help you better understand your need to build a strong game plan for securing your data. For example, are you keeping financial or medical information? Answering this question is important for compliance standards, like PCI (Payment Card Industry), that require limited access to key data in Requirement 7, which restricts access to cardholder data by business “need-to-know.” If you don’t know what or where the data is located, you can’t limit its access.
Have a data classification policy. This step is often overlooked. You need to know how to classify your data in order to properly protect it. Data protection is not always cheap (both in monetary and resource usage), so knowing what data needs to be protected the most and what data needs less protection will help you stay safe and successful. Security Standards like PCI and HIPAA require certain actions on certain types of data. If you don’t classify your data, you could end up applying actions on too much data, or even too little.
Understand the laws. When dealing with certain data, like health or credit card information, there are sometimes laws and/or policies that need to be followed. Take the time to read and understand these policies. You want to make sure you are properly handling your data. Laws are in place for a reason, and sometimes the penalties can be steep. Also, remember when moving data from one country to another, be aware of laws concerning data privacy in that country.
Know how to protect your data. Once you know your data, how to classify it, and how to handle it, you can start to protect it. The more people that have logical access to the data, the more threats exist. You can’t just think about logical security, you must also think about physical security by ensuring that there are cameras in place and racks are locked, etc. Many studies have shown that most data breaches are from physical actions, such as stealing a cell phone that has work information on it. Certain regulations and policies, such as HIPAA and PCI, require protected data to be stored in a particular way. Each policy is different, so do your research to see what each one entails.
Along with the tips mentioned above, when it comes to protecting your data, you must remember your cloud stores important and often confidential information, so the more layers of security there are, the better. Below are a few examples of common data protection tools used in defense in depth strategy.
After implementing a firewall to keep passwords and other critical information safe, companies frequently forget to segment their data, but this is crucial to saving your information. By segmenting your database from your web server, you are decreasing the possibility of losing all of your data if you are hacked by placing it in a separate location.
From there, implement a web application firewall that will look at all of the requests coming in to your server. This tool will log all of the activities going on, review these activities, and find and correlate any incidents that may mean someone is trying to gain access to your server.
Also make sure to implement file integrity monitoring as the last line of defense. This system will alert you to see if someone is manipulating or deleting data or entering code. If something gets flagged, your IT department can investigate and save your company from having to do damage control.
Cloud security doesn’t have to be a mystery. By knowing where your data is and having policies and security tools in place to provide numerous layers of protection, your company can sleep at night knowing its data is protected.
Christian Chavez, Technical Sales Engineer at INetU, is an Information Technology expert and a VMware Certified Professional with a diverse information technology and business background. His 15 years of education, skills and experience in networking, security architecture, and systems performance continue to enable a successful track record of meeting INetU client objectives by utilizing strong leadership, management, and architecture engineering skills. He has been acknowledged for building robust information network and security frameworks as well as improving existing IT infrastructures for critical web and application platforms.