When an organisation’s IT infrastructure is inhouse, responsibility for its management, application systems, and efficiency is in the hands of the IT Department. To be sure, some aspects of security will require input from the organisation, but IT is in the main responsible for the protection of the company’s data assets.
Adding external connections for remote access brings another level of complexity and anxiety, where part of the security environment is in the hands of third parties responsible for the security of the connection and the data transmitted over it.
Moving IT systems to the cloud further complicates the issue. Now, not only is the security of data access and transmission out of the direct control of the organisation, but the security of the company processing systems is vested in another organisation. You are placing ultimate trust in third parties to keep your intellectual property, financial and operational data secure.
Organisations contemplating, or completing a move to the Cloud need to be aware of the new security risks that come with Cloud Computing. Here are the current top three, but be aware that Cloud Computing is a rapidly changing world, and this list will be out of date very soon:
The Cloud provides the opportunity for company systems to be available to users anywhere, anytime. They use their smart devices, tablets or desktop computers to link to the company systems over the Internet. The link can be via WiFi, Fibre to the Home, or in the case of sales and support staff via a client network.
The connection may also use WiFi provided in public locations like hotels or shopping malls. The IT department has no control over how these connections are made and the security provided by third parties as data travels over public connections.
Where the IT department can increase the security of such connections secure is to:
- Use a VPN to establish the connection. The smart device must have a client app that establishes the connection. This ensures a common security profile for access, easing IT support issues.
- Make it an encrypted connection to prevent man-in-the-middle attacks.
- Have an authentication process, ideally both to the VPN client and to the corporate systems.
- Some organisations insist on having remote control of smart devices. Corporate data can be downloaded to them and needs to be destroyed if the device is sold, lost, or stolen, or the user leaves the organisation. Remote apps can give IT the option of wiping the device and removing all data from it.
Access to corporate systems needs to be controlled. A granular approach to authentication is needed to ensure only authorised users can gain access, and only to the functions, they are authorised to use. Two-Step authentication is becoming increasingly popular.
The use of SSO needs to be carefully controlled to ensure that users have access to only those functions they are authorised to use. Strictly speaking not a Cloud issue, but security staff needs to be able to manage user profiles and access lists. This must be allowed in the case of an outsourced Cloud host.
HR also needs to put policies in place to ensure that new users are added to authentication lists. One area that is often neglected is the removal of ex-employees from access control lists and mailing lists.
The network, as the gateway to corporate systems data, is an area that needs serious security protection. Having moved to the Cloud, if the host is outsourced, your connections use dedicated connections to reach the host.
In both cases, two common issues are DDoS attacks and ransomware.
DDoS attacks can be fatal to organisations that rely on being always online. A DDoS attack taking an organisation offline can result in revenue loss, reductions in customer trust, and decreased brand authority.
Ransomware is another potentially crippling threat to a business. Often the quickest and surest recovery is to go back to bare metal and reload the entire computing environment from a good recent backup. A prudent organisation keeps a clean backup set to hand.
If the cloud host is outsourced, you need to be certain that the host has proper and sufficient security in place to secure your systems and access to them.
A comprehensive network security environment covering both internal and cloud systems is needed to ensure peace of mind.