Get a demo
I hereby consent to the processing of my personal data specified herein by CROC, for the purposes and within the scope set forth by the Personal Data Protection legislation of the Russian Federation, in conjunction with the activities performed and for an indefinite term.
Preferred communication method
Get a quote
I hereby consent to the processing of my personal data specified herein by CROC, for the purposes and within the scope set forth by the Personal Data Protection legislation of the Russian Federation, in conjunction with the activities performed and for an indefinite term.
Preferred communication method
Try for free
I hereby consent to the processing of my personal data specified herein by CROC, for the purposes and within the scope set forth by the Personal Data Protection legislation of the Russian Federation, in conjunction with the activities performed and for an indefinite term.
Preferred communication method
Learn from experts

Top Six Cloud Security Mistakes and How to Fix Them

28.09.2020 5 minutes 70

Sergey Zinkevich

Security is crucial to all cloud environments. Growing popularity of cloud computing is associated with the increasing risk of a data breach. Cloud service providers never stop perfecting their security systems, yet cyber devils never sleep hungry to exploit an ever-widening attack surface. Can we avoid cyberattacks and protect the cloud against threats?

Introduction

One in two corporate cloud service users asks, "Why should I believe that provider won't share my data with cybercriminals?" However, reality has nothing to do with this fantasy, as Kaspersky Lab experts claim that humans cause nine out of ten data breaches in the cloud.

'Local environment is more secure than the cloud' is a myth that needs busting, so we will look into the typical incident-generating mistakes that cloud providers' clients make. Having completed 2,000+ cloud projects, we know for a fact that the majority of incidents are caused by human errors: lack of attention or basic knowledge of data handling rules. 

Here we will review six most common situations, when a risk to information security can be easily prevented. Can cloud storages eventually replace physical media? How can users protect their information in the cloud? Are cloud services secure or not? Let's find out!


Open ports existing in the infrastructure

Cybercriminals use automatic 24/7 port scanning to hack a network and exploit its resources or create botnets and perform Distributed Denial-of-Service (DDoS) attacks. So, even an isolated account in a cloud only used to train administrators in launching virtual machines may one day be employed by hackers.

Tip: Make sure that server and network ports are closed, and limit the connectivity.


Weak passwords

It takes less than a week for attackers to crack a childish password like 'mother's maiden name' even if they didn't plan that to hack it. In case of a well-organized attack password breaking is a matter of hours or minutes. Poor password security often results in a massive leak and catastrophic damage to a company's reputation. In 2019, for example, biometric data used by 5,700 organizations around the globe were compromised because of unprotected access to the BioStar 2 database.

Tip: Strong passwords are good, two-factor authentication (2FA) is even better to strengthen data security.

 

No data encryption in the cloud

Encrypted data is a junkyard for cybercriminals because decoding will take an eternity. Large cloud providers use encrypted channels to avoid data interception. It does not guarantee zero leaks though, because the crucial vulnerability is not in the cloud but in customer's local infrastructure, where data can be migrated.

Tip: Encrypt your data and use proven security tools on local workstations such as data leak prevention systems and antiviruses.

No data masking

Most of the times, a user database appears in the public domain due to incorrect use of test database copies for information services development. It's not a crime, as long as real personal data is masked and source data is replaced with meaningless characters.

Tip: Mask real data when developing apps and customer services.

 

No backups

Cloud backups cost extra money, sometimes twice as much as cloud services alone. That is why many customers refuse to backup their data but then regret that disaster recovery is impossible. Actually, there are many options to suit every budget: backup as other provider's service, on-premise backup securely connected to a data center or an active-active continuous replication based on cloud data centers.

Tip: A bad backup is better than no backup. Backup your data anyway.

No cloud-native protection tools

Apart from traditional solutions, there are services that protect against cloud-specific threats. For example, a software to monitor cloud infrastructure that doesn't have to be installed on hardware. There are also technical tools to maintain configuration integrity that ensure level 1 and 2 personal data protection in a private cloud. The system blocks any unauthorized operations, while data access is only restored upon request to data center administrator. Once the management approval is received, the administrator reboots equipment.

Tip: Use cloud-native protection tools in addition to traditional ones.

 

Conclusions

Every cloud is unique. A provider might miss some information security measures thus enabling data leaks, DDoS attacks, and data deletion. However, the majority of large service providers operate a complex multistage incident detection and prevention system spanning from data center physical access to regulatory documentation that covers all technical and organizational aspects of working in their clouds. This can be easily checked. All you need is to request certificates confirming that their infrastructure complies with the strictest security requirements set by Russian and international standards ISO 27001 and PCI DSS. Though the latter is only mandatory for companies involved in payment transactions, having it in place proves greater reliability of a cloud platform. This document specifies protection requirements for each infrastructure level and procedures to assess virtual environment isolation using pentest.

Ideally, such ethical hacking to identify weaknesses should be conducted at least twice a year. Certificates of cloud conformity to requirements of the Federal Law 152-FZ “On Personal Data” are more relevant for companies handling personal data of customers and employees. Such certificates are only issued after a special audit confirming that all organizational and technical measures have been taken to ensure correct and secure storage and processing of personal data. Finally, customer and provider shall sign a contract, SLA, and NDA where provider undertakes, among other things, to ensure data protection and indemnify for financial and reputational damage caused by non-performance. By giving all of the above documents to a customer, a cloud service provider actually guarantees that the cloud is free from information security risks.

Mentioned services

  1. CROC Public Cloud

Don't miss the most important, interesting and helpful posts of the week

Success

scrollup