Previous posts about cloud security have covered a wide range of topics and issues; some of these have included tips on connecting both private and public clouds; cloud computing security risks; pointers on the pros/cons of the hybrid cloud model, and more.
This post will focus on a growing concern that is facing both public and private sector organizations, not only in the US, but globally –identifying a few security holes affecting cloud implementations, and what steps you can take to mitigate these from becoming a major digital thorn for you.
And amazingly, I still see examples of servers with default user IDs that are untouched, default passwords that are never changed – and in extreme cases – no password set up at all! So there’s your data in the cloud with a login prompt totally exposed – no protection, no password/user/access authorization rules. It’s enough to turn an IT manager’s hair white overnight – and result in many a sleepless night to boot!Organizations from all walks of life are migrating to the cloud, principally to reduce costs. But many don’t factor in an important consideration – they lack the internal resources/skills to initially determine how to best protect their data, and once the data’s in the cloud, how to then protect it on an ongoing basis.
Before you jump to the cloud, you also need to figure out who’s going to provide security. Should your IaaS provider offer a certain level of security? Have your MSP using that IaaS do it for you? Do it yourself?
All of the above. The IaaS, for instance, owns the address space- if your network/server is compromised, it will appear from an outsider’s perspective that the IaaS’ address space has been compromised. And not only can the telco snatch those IP addresses from the IaaS, but the federal government can close down the servers and lines, which means the IaaS could be hurt financially and even forced to close its doors.
So how can you patch these potential holes so your organization’s data isn’t put at risk? Here are a few simple tips:
✓ With any kind of remote connection, lock it up and use a VPN, e.g., such as a certificate based SSL with AES256 encryption.
✓ Conduct due diligence with your MSP and IaaS.
✓ Check out the hardware side of your virtual environment and make sure your virtual neighbors can’t accidentally access your data.
✓ Trust no one and make sure that your LAN is yours and yours alone!
Any questions? Email me at firstname.lastname@example.org.