Here’s how security rates in far too many projects: right before launch day, someone says, “Hey, we need to put some type of password program in place.” In other words, at the end of the project development phase rather than the beginning.
Don’t make that mistake with your own cloud projects. The time to discuss security issues is the first meeting after the project is approved. Really. Security for your project should be the foundation of the project, not a sign tacked on the last day.
When you approach cloud projects with a security mindset, projects go smoother, there are fewer steps backwards, and no news headlines after someone downloads customer information triggering a data breach announcement. In fact, if your management isn’t as security minded as necessary, keep a file of data breach reports close by to help persuade them security early means peace of mind later.
Companies hosting cloud servers must keep them physically secure, and in good security shape. The first means a location with appropriate physical isolation and access protocols in place for the hardware, and the second means keeping patches up to date. No reason to make it easier for hackers by leaving publicized holes wide open, but amazingly, many companies do just that by ignoring updates.
Application security comes next. If the cloud project supports a single application, user access security and authentication will go a long way to maintain security. When applications share data within one project, security gets two times more complicated for each application involved. Security on the front side, for users, must follow authentication protocols. Security on the back side, for data sharing, must be tracked, logged, and audited for compliance. If you’re working with customer financial or health data, the security and compliance demands jump up yet again.
For compliance purposes, and to verify your user authentication protocols are working properly, audit trails are your friend. Enable logging everywhere possible: file access, file save, file copy, changes to the Access Control List, authority to view the log files, and on and on. Yes, it’s a lot of work, but preventing data breaches is far, far easier than making amends later.
The single biggest security threat to every computing project, in-house or in-cloud? Users. Your coworkers. Your bosses. Everyone with access to a cloud service is a potential security risk.
Most cloud security breaches are not the result of genius hackers blasting through firewalls, they’re the result of users being careless with their password. The old joke about passwords stuck to monitors is old and true, but not funny. And if the password is not on a sticky note on the monitor, it’s on a piece of paper under the keyboard. Or saved in the browser history of a computer with no encryption and a bad password. Or in a smartphone with no password.
The technology is easy to lock down, at least compared to the users. Don’t let users share passwords. Don’t let users set their own (weak) passwords. And verify password security is fresh in user minds on a regular basis.