A Practical Guide To Protecting Business Data In The Cloud

By Matthew Reeve on 11th April, 2019.

Watch the Full Seminar

At the B2B Marketing Expo 2019, Secura’s Head of Pre-Sales Anthony Doncaster delivered a crucial seminar on cyber security to keep everyone up to date with the current threat landscape, common cloud data security issues, and the practical steps to take to ensure your cloud is properly protected.

If you missed it, fear not. In this blog post we will recap the expertise and insights he shared.

The Threat Landscape

As digital businesses, it has never been more important to protect our data and the data of our customers. More and more of our lives and businesses are now online. This represents a huge opportunity for criminals to profit from stolen data. Did you know, cybercrime damages could reach $6 trillion by 2021. This would be more profitable than the global trade of all major illegal drugs combined. Online applications and systems are also now more complex and interconnected, meaning there is more potential flaws to exploit for greater gain.

Recently we’ve seen real-world breaches hit headline news. Recent examples of data breaches and misuse include the Facebook / Cambridge Analytica scandal and 90 million user accounts exposed in September 2018. And this year, thousands of confidential files were potentially exposed at file sharing service BOX. And of course, UBER… no need for further explanation here.

But most breaches go unreported and sometimes even completely unnoticed. Not everyone is as newsworthy as Facebook. However, the breaches are no less serious. Many breaches are not even the result of direct malicious activity or hacks. Many of these data leaks result from incorrect configurations or applications, servers, firewalls and networking.

But let’s get into the nasties. The exploit landscape is dense and evolves with new technology, meaning new and complex technology is constantly providing opportunities for attackers. The Meltdown and Spectre vulnerabilities in Intel processors is a great example.

Viruses and malware can infect servers and lead to loss and disruption. The number of strains in the wild is huge. Kovter, Emotet, Zeus, Readyms, TinyLoader, the list goes on and on. Recently, ransomware has become one of the most dangerous cyber crime threats. It infects workstations, devices and infrastructure. It will lock all files and demand a ransom payment for removal.

I’m sure if you’re reading this, you’ve heard of the EU General Data Protection Regulation. In 2018, more rigorous data protection laws were introduced, with revamped and hefty penalties for data breaches. Breaches can incur fines up to 4% of annual global turnover or simply a fine of €20 Million (whichever is greater). However, the GDPR does not in itself demand specific security technology. What it does outline is the need for implementation of appropriate technical and organizational measures to protect data. Robust, multi-layered security is a positive step towards protecting data and the regulations do offer some potential benefits for encryption.

Cloud Security Issues

So, what does good security look like? Let’s have a look at some of the most common issues.

Some security vulnerabilities are actually easily avoidable, or at the very least reduced with good security practices. Firstly, it comes down to taking some responsibility, and clearly defining responsibilities for security management. Businesses can also fall foul of assuming the security measures are in place as standard, when some services such as DDoS mitigation are an additional extra, leaving the business susceptible to brute force attacks.

Leaving admin ports open to the outside world is another issue as SSH and RDP ports are commonly left open and are therefore susceptible to brute force attacks. This is the simplest way of getting access to anything that is password protected. Essentially, in a brute force attack the hacker will repetitively try various combinations of usernames and passwords over and over until one combination works.

Another common mistake in the deployment of resources to counteract cybercrime is forgetting to keep them up to date! Without regularly reviewing them for latest updates, improvements and security patches, it leaves systems vulnerable. This applies to servers, virtualisation software, networking, storage and more.

Of course, we also can’t dismiss the fact that ourselves can circumvent any security technology or process. Not knowing or following procedure, misconfiguration due to lack of knowledge, wilful mistakes and sabotage. These are all issues we need to consider.

Good Cloud Security

So, what does good cloud security actually look like? Well, kind of like an onion. Firstly, it needs to be layered and deep. Good cloud security should be layered with defence in depth, covering a range of vulnerabilities. It should also move beyond the digital to include physical security and needs monitoring, reporting, regular reviews and updates.

The layers themselves may be any of the following…

  • Physical security i.e. data centre infrastructure
  • Vulnerability management, patching and reviews
  • Standard Firewall and Web Application Firewall (WAF)
  • Standard (layer 3/4 firewalls) reduce attack surface
  • WAF (Layer 7 firewalls) inspect the traffic for exploits
  • MFA (multi-factor authentication) for admin users
  • Lock down admin access
  • Enforce secure protocols e.g. TLS 1.2
  • DDoS mitigation
  • IDS
  • Encryption at rest
  • Log management

Protecting Business Data in the Cloud – Practical Steps

So what things should we be including in a good layered security policy?

  • Step 1 – Designate

A team or team member who is responsible for security matters and reporting. This will avoid confusion over who is in charge of security and ensure someone is focused on its complexities at all times. This can include round the clock vulnerability testing and patching, implementing best security practices and maintaining up to date security software.

  • Step 2 – Communication

Start a dialogue with your provider about the solution they provide to cover each layer. You should understand your network and what you need to properly protect it. As this guide has highlighted, the threat landscape is dense, but so are the many resources and solutions available to counteract security threats. Identify what security threats you think your network may be susceptible to, and work through these with your cloud hosting provider.

  • Step 3 – Introduce

Cloud computing may present threats to your network that didn’t exist previously. Consider introducing a vulnerability assessment. It is essential that any potential areas of exploitation are highlighted and remediated before a hacker can use them for malicious activities. Information from vulnerability assessments can offer feedback on current network security and inform decisions on security solutions that may need implementing.

  • Step 4 – Put in Place

Make sure backup and disaster recovery are in place in case there was ever a breach. Keep in mind, this could also occur through a natural disaster; not all threats are from cybercriminals. A good cloud DR strategy will ensure all files are stored and maintained and provide you with a complete recovery of data in the event of a network catastrophe.

  • Step 5 – Compliance

You should also know your compliance requirements for holding personally identifiable information (PII) to ensure any information possibly used to identify somebody, sensitive or non-sensitive, isn’t disclosed.

We hope this guide has been useful and you’ve learned how to protect your business data in the cloud. If you have any questions, feel free to get in touch.

Matthew Reeve

Content Executive

Matthew is Secura's content specialist, producing gripping, emotionally complex, edge of your seat, cloud hosting articles and videos.

Tweet me at: