Ever since cloud computing became widely adopted, it has also been mentioned in association with data breaches and other security issues. This is unfortunate, because while databases and other hacked resources may have been hosted on cloud infrastructure, the cloud environments were almost never the proximate cause of the breach. By far the biggest vulnerability in every company’s cyberdefenses is its people.
If you don’t believe us, just consider these examples, drawn from some of the world’s most well publicized incidents:
WWE Breach: A security breach of World Wide Entertainment’s cloud server resulted in leaked personal data for some three million users. How? A human — likely an inattentive employee — misconfigured the privacy permissions on the company’s information.
Amazon Breaches: The online retail giant Amazon has disclosed numerous security breaches of customer information on its cloud platforms due to employees sharing data with unauthorized third-parties.
Google Cloud Breaches: Last year, cloud giant Google was implicated in numerous user data breaches. However, the culprit here was also people. In one instance, hackers sent phishing emails containing URLS spoofed to look like Google links. Users who clicked on the links and provided their credentials also shared them with the hacker, who gained access to their data and systems.
Unfortunately, in many cases, “the cloud” makes the headlines while the real culprits — unwitting, untrained or careless individuals — are mentioned only in small print.
Cloud Security 101
This is not to suggest all cloud resources are created equal. Business leaders wishing to store data, host apps or otherwise leverage the cloud can maximize their security (and peace of mind) by selecting a provider that uses every possible protection to avoid its systems being hacked or physically compromised. Two best practices we consider critical to cloud security follow.
Confirm Certifications: There are many cloud certifications, but not all of them are relevant to security practices. Two that are security focused, and that we leverage to protect our own cloud environments, are ISO 27001 and SOC 2 TYPE 2 (an alternate, SOC 3, TYPE 2 also covers security but is not as stringent as SOC 2 TYPE 2). Firms should also ensure their cloud provider adheres to any security rules relating to their industry, such as HIPAA for medical industry firms.
Identify Where Cloud Resources Are Housed: “The Cloud” is a misnomer, because all “cloud” resources must reside in a data center somewhere. The cloud environment model we use — and recommend all business decision makers seek in their provider — is an SSAE 16-audited, secure, hardened data center that is monitored 24/7/365. It should also include biometric security; redundant UPS power with a generator backup; dry system fire suppression; and redundant HVAC.
There are other best practices that promote security in the cloud while maintaining affordability, flexibility and ease of use. We won’t get into those here, but we are always happy to discuss the options. In the meantime, we will leave you with this final thought.
Consumer credit reporting company, which tracks potential threats to sensitive data, recently predicted five data breach targets for 2021:
- The COVID-19 vaccine rollout
- Home networks
- Contact tracing efforts
- 5G mobile networks
- Personal healthcare data
In the announcement, Michael Bruemmer, VP of Data Breach Resolution and Consumer Protection at Experian, described 2021 as a “cyber-demic.” Against this background, we believe that leveraging secure cloud resources from a seasoned provider, especially for prime targets such as remote work environments and healthcare databases, is the safest path to tread.