A safe public cloud security strategy based on five basic measures
Online threats will never abate and the technologies used by those up to no good will increasingly become more advanced. For this reason it’s important to be “in control”. And this, in essence, is what a safe public cloud security strategy is all about. In order to achieve this it’s very important to understand how the various applications run and where data is stored.
The Cyber Security Council (CSR) has been alerting the Netherlands to its digital vulnerability for many years. Often, not even the most basic security measures are taken. This was confirmed in our Security Awareness Study in mid-2020. While it need not be so complicated at all. Here are five steps each organisation should take for the purpose of ensuring security & compliance in the public cloud.
Five basic security measures
Firstly, the foundation must be in good order. This begins with defining who has which responsibilities. Organisations can opt for an IaaS, PaaS or SaaS solution. Each form has its own structure of responsibilities. Craving a lot of freedom automatically increases one’s responsibility. Furthermore, it’s important to know where specific data is stored. Consider how important certain data is to your organisation and, based on that, make a choice on where and how that data should be stored. When doing this, do keep the corresponding laws and regulations in mind (see item 4).
Secure your IT from the ground up. We refer to this as “secure by design”. Segmentation forms an important part of this. It prevents multiple apps running in the same network segment. In addition, it would be good to limit the access to data per person. This substantially decreases the risk of a man-made data breach. Implement (security)updates by the IT Department on a regular basis, but do apply “continuous hardening” to software vendor configurations. These are intended to facilitate the easy operation of the app. It makes for excellent marketing but quite often these standard features are not used at all. Organisations should always wonder what it is they really use and whether it is necessaryAlthough this makes sense, it is often given a low priority. And once an application is live, many organisations leave it as it is.
- Security Awareness
It takes more than technical solutions to achieve your goal. After all, there is always the potential for human error. Employees are often not aware of the possible disastrous consequences of clicking on a link in a phishing mail or the downloading of malware, and accidents do happen. This is why it’s to the benefit of each organisation that employees are aware of the risks and know how to act on it if something still goes wrong unexpectedly. We’ve observed that training people and carrying out phishing tests is still necessary and that it works. Several effective and accessible training modules are available for this and can be adapted to your organisation’s requirements.
Compliance is, and the same applies to awareness, the responsibility of the entire organisation. You have to ensure that your processes are in good order, that they meet laws and regulations and that everyone adheres to this. How to deal with data? Here as well it’s important to create awareness among all employees and perform regular checks. Quite a chore when all the data is stored in-house, but what if you are (partly) making use of the public cloud? Solvinity invested in this and was the first Managed Service Provider in the Netherlands to receive an SOC 2 Compliance Report on the entire management environment, including Azure cloud.
Invest in knowledge. Security is a discipline that is constantly in motion. This makes it essential to keep the knowledge up to date. It’s a speciality that can be quite an expensive undertaking if this field is not your core business. Outsourcing it to a reliable and experienced partner with the benefit of scale could then be a serious consideration. At Solvinity we have to deal with the circumstances of a great variety of customers, which makes for an ongoing learning and innovation process. We are as secure as our strictest customer, which is something all customers benefit from. That’s what makes working at Solvinity so much fun; we’re always on the ball.