{"id":12753,"date":"2020-12-16T15:56:18","date_gmt":"2020-12-16T14:56:18","guid":{"rendered":"https:\/\/www.codemotion.com\/magazine\/?p=12753"},"modified":"2022-01-05T20:03:27","modified_gmt":"2022-01-05T19:03:27","slug":"cloud-security-mistakes","status":"publish","type":"post","link":"https:\/\/www.codemotion.com\/magazine\/devops\/cloud\/cloud-security-mistakes\/","title":{"rendered":"5 Cloud Security Mistakes that Businesses Should Avoid"},"content":{"rendered":"\n\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\tTable Of Contents\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t
  1. Cloud security mistake #1: Not patching your servers<\/a>
  2. Cloud security mistake #2: Not addressing zombie server risks<\/a>
  3. Cloud security mistake #3: Not controlling your access<\/a>
  4. Cloud security mistake #4: Not creating standards for your encryption<\/a>
  5. Cloud security mistake #5: Not deleting your data<\/a>
  6. Key takeaways<\/a><\/ol>\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\n\n\n

    Cloud service providers allow businesses to effortlessly host their data<\/span>, without the need for technical hardware<\/span> and with the promise of reducing costs. Sounds like a dream. But, cloud hosting also has the potential for cloud security<\/span> mistakes<\/strong>. These mistakes can then lead to cloud data<\/span> breaches. In fact, research<\/a> showed that almost 80% of companies had experienced a cloud data<\/span> breach since January 2019.<\/p>\n\n\n\n

    With the cloud services industry rapidly expanding to almost $200 billion<\/a>, cloud security<\/span> data<\/span> breaches are also rapidly increasing. Research<\/a> shows that in 2019 there was a 54% increase in the number of breaches from the previous year. This is why understanding and implementing cloud security<\/span> is crucial<\/strong> for any successful business.<\/p>\n\n\n\n

    \"amazon<\/figure><\/div>\n\n\n\n

    In this article, we have collected the five most common cloud security<\/span> mistakes<\/strong> that businesses make and that you should avoid.  <\/p>\n\n\n\n

    Cloud security mistake #1: Not patching your servers<\/h2>\n\n\n\n

    One of the biggest cloud security<\/span> mistakes a business can make is not being on top of their server<\/span> patching<\/span> management<\/strong>. Not only is this mistake especially detrimental, but it is also very common. A survey, that conducted research<\/span> about company cloud environments, showed that 50%<\/a> of the respondents were running a minimum of one outdated server<\/span>.  <\/p>\n\n\n\n

    The mistake businesses make is that they confuse general security<\/span> updates<\/span> with a company specific and effective patch<\/span> process<\/span>. Although cloud providers<\/span> are responsible for providing businesses with some data protection<\/a>, cloud patching<\/span>, and application security should be maintained and regulated by the company.<\/p>\n\n\n\n

    Consider this scenario. You\u2019re a company that provides channel routing<\/a> software and you store a lot of sensitive customer information on the cloud<\/span>. But, your cloud infrastructure<\/span> doesn\u2019t carry out patch<\/span> management. This means that you are prone to a significantly larger percentage of attacks<\/span>. In fact, data<\/a> shows that 60% of breaches in 2019 were related to unpatched systems or servers<\/span>.<\/p>\n\n\n\n

    With remote working<\/a> becoming ever more popular, employees<\/span> are now constantly using unsecured public networks. So, to reduce the risk of attacks<\/span><\/strong> and ensure company security<\/span> it is vital that you carry out cloud patching. Here are a few tips you can use:<\/p>\n\n\n\n

    1. Perform scans periodically<\/strong>. Carrying out regular scans will allow you to quickly identify any potential vulnerabilities and patch them accordingly<\/li>
    2. Maintain visibility<\/strong>. A company that creates up-to-date records of all their devices and servers can easily assess potential vulnerabilities. This will also make reporting and assessment collection a faster process<\/li>
    3. Don\u2019t patch manually<\/strong>. Maintaining a server\u2019s security is complicated. They often run varied operating systems and applications. These require different patches and this procedure would be too laborious to carry out manually. This is why it is essential to automate your patching process. Not only will this save you time but it will also reduce the amount of human error<\/li><\/ol>\n\n\n\n
      \"cloud<\/figure><\/div>\n\n\n\n

      Cloud security mistake #2: Not addressing zombie server risks<\/h2>\n\n\n\n

      Zombie servers<\/span><\/strong> are servers<\/span> that are not patched, validated, checked for vulnerabilities<\/span>, or managed, but are still present on your cloud infrastructure<\/span>. Data<\/a> shows that there are more than 10 million of these servers<\/span> across the world and they use up to eight power plants worth of energy to maintain. They are a financial burden, can be difficult to spot, and most importantly, they are a cloud security<\/span> risk.<\/p>\n\n\n\n

      The main mistake businesses make is that they put off their zombie workload<\/strong> and do not act instantly to block them.  <\/p>\n\n\n\n

      Zombie resources or comatose servers<\/span> can actually prevent a company from detecting genuine cloud security<\/span> risks such as cryptojackers<\/strong>. Not only that, zombie servers<\/span> are a great indicator to potential attackers that you have weak security<\/a> practices in place. This is because if you\u2019re not detecting these servers<\/span>, it is unlikely that you will be able to spot an attack<\/span>. Attackers can also exploit the zombie servers<\/span> to breach your security<\/span>.<\/p>\n\n\n\n

      Here are the most effective techniques you can use to address your zombie server<\/span> cloud<\/a> risk:<\/p>\n\n\n\n

      1. Maintain visibility of your entire cloud infrastructure<\/strong>. This should be a continuous process that provides you with full details of all the servers on your cloud. As mentioned above, zombie servers can be difficult to identify. So, instead of using a resource list, some companies use visual diagrams that allow them to view the full cloud layout and spot resources that have no connection to the others<\/li>
      2. Label or tag any future resources<\/strong>. Creating a resource tagging protocol will allow you to keep tabs on all of your cloud resources. This makes managing useful resources and spotting comatose resources simple. But, it is vital that the labels you choose are easily understood by your employees<\/li>
      3. After identifying, destroy<\/strong>. The most important part of addressing your zombie workload is actually terminating these resources. Using the best enterprise network security products<\/a> is key as they can help in the identifying and destroying process and they ensure you determine the correct ones<\/li>
      4. Create a zombie reporting culture<\/strong>. Companies that stay on top of their zombie workload prevent the risk of being overwhelmed. This is why making zombie resource identification and termination an aspect of your general reporting and auditing process is vital to maintaining a zombie-free cloud environment<\/li><\/ol>\n\n\n\n

        Cloud security mistake #3: Not controlling your access<\/h2>\n\n\n\n

        Access control is the concept of enabling specific users<\/span> access to specific company data<\/span> and information. But more importantly, it is also the method of preventing users<\/span> access to restricted data<\/span><\/strong>. This is called access management. Efficient and secure access management requires both authentication and authorization of personnel<\/span>. Take a look at this example.<\/p>\n\n\n\n

        Let\u2019s say you\u2019re working at a coffee shop and you\u2019re analyzing private company information which you\u2019ve accessed via an initial authentication process<\/span>. The Wi-Fi is slow and the website loading time<\/a> is taking a while, so you quickly go to the toilet. If your company doesn\u2019t have a multi-factor authentication and authorization process<\/span> then your data<\/span> can be accessed by anyone whilst you\u2019re gone. A multi-factor process<\/span> can be anything from face recognition software to a key fob.<\/p>\n\n\n\n

        \"enable<\/figure><\/div>\n\n\n\n

        With remote working becoming ever more popular, this additional layer of protection is vital to ensure the necessary protection of your cloud information. Data<\/span> shows that almost 70%<\/a> of businesses don\u2019t implement sufficient access management to control access to their cloud infrastructure<\/span>.<\/p>\n\n\n\n

        Creating a good access management strategy requires you to understand the potential risks to your data<\/span> and then implement a strict access control protocol.<\/strong> There are a variety of different access control techniques, but each business needs to adopt the appropriate method depending on how sensitive their specific data<\/span> is.<\/p>\n\n\n\n

        Here are a couple of common access control models your business can take advantage of:<\/p>\n\n\n\n

        1. Role-based access control<\/strong> (RBAC<\/strong>). This method ranks or separates employees to ensure that they can only access information or data that is related to their specific role. It is also the most common model used today<\/li>
        2. Attribute-based access control<\/strong> (ABAC<\/strong>). This is a far more detailed and sophisticated method of access management. ABAC doesn\u2019t only compare the employees\u2019 roles, but every single attribute. This can include location, company position, specific time, and day of the week. This method is more appropriate for businesses that deal with highly sensitive information such as medical records<\/li><\/ol>\n\n\n\n

          Cloud security mistake #4: Not creating standards for your encryption<\/h2>\n\n\n\n

          Another crucial cloud security<\/span> error businesses often make is failing to create a high standard encryption protocol<\/strong>. Many businesses rely on their cloud providers<\/span> to encrypt their information, but data<\/a> shows that less than 10% of all cloud providers<\/span> encrypt data<\/span> at rest<\/span>.<\/p>\n\n\n\n

          \"cloud<\/figure><\/div>\n\n\n\n

          Data encryption<\/strong> is the process<\/span> of transforming information before it is stored on cloud provider<\/span> servers<\/span>. For example, let\u2019s say your company had a file<\/span> named \u201cDigital Customer Service Solutions: Choosing the Right Platform to Improve Customer Experience<\/a>\u201d which contained sensitive data<\/span>. Using encryption algorithms, this information will be encoded into an unreadable format that cannot be deciphered by attackers.<\/p>\n\n\n\n

          Without encryption, this data<\/span> has a greater chance of being breached<\/strong> by unauthorized users<\/span>. Despite the amount of potential cloud security<\/span> risk businesses can face, research<\/a> shows that less than 30% of companies actually carry out full-disk high standard encryption.<\/p>\n\n\n\n

          Cloud<\/a> encryption is especially beneficial if your company data<\/span> is constantly transferred to different locations. Information transfer places data<\/span> in a vulnerable state and opens up the possibility of unwanted surveillance or cyberattacks. But, encryption tools can provide your company with that security<\/span> across multiple devices<\/span> that prevents anyone but you from accessing or changing the data<\/span>.<\/p>\n\n\n\n

          The next hurdle is then creating a cloud encryption protocol<\/strong>. Of course, every encryption policy or protocol will differ from business to business, but here are some points you can consider:<\/p>\n\n\n\n

          1. Find out which specific data needs encrypting<\/strong>. Not every piece of information needs to be passed through the algorithm. You should assess whether the data falls under privacy acts or compliance requirements. Personal information and sensitive data to the company can also fall into this bracket<\/li>
          2. At what point should the encryption begin?<\/strong> Company data records are dynamic, they are constantly increasing and updating. Data should be encrypted when at rest in the cloud. But, as mentioned above, data that is being transferred is vulnerable and should also be encrypted<\/li>
          3. Decide who will manage the encryption keys<\/strong>. Encryption key management requires leadership<\/a> because losing the keys can put the company at a detrimental risk. Cloud services can often provide their customers, aka you, with key storage and management. But, even if you decide to hand over the management to the cloud provider it is important that you implement access control. As we\u2019ve mentioned above, this involves a multi-factor authentication and authorization process that ensures the security of your cloud information.<\/li><\/ol>\n\n\n\n

            Cloud security mistake #5: Not deleting your data<\/h2>\n\n\n\n

            Let\u2019s imagine you\u2019re a company that provides communication solutions for businesses, your customer\u2019s experience shouldn\u2019t just end with them purchasing the product. Providing reliable B2B customer service<\/a> doesn\u2019t only mean answering customer queries like \u201cWhat is omnichannel routing and how does it work<\/a>?\u201d, it also means ensuring that private customer data<\/a> is protected.<\/p>\n\n\n\n

            One of the biggest cloud security<\/span> concerns is incomplete data<\/span> deletion<\/strong>. This is especially problematic when companies change their cloud service providers or close certain accounts<\/span>. Incomplete data deletion is not only problematic for your company\u2019s data but it can also expose your customer\u2019s private information.<\/p>\n\n\n\n

            Complete data deletion is a process that should be assisted by your cloud provider. But, it\u2019s also your responsibility to ensure that the information has been removed in its entirety from the main servers, back-up servers, monitoring services, etc.<\/p>\n\n\n\n

            Here are a couple of steps you can take to ensure complete cloud data deletion:<\/p>\n\n\n\n

            1. Remove information until it’s irrecoverable and inaccessible<\/strong>. This involves deleting information from every location and even temporary access points such as RAM and back-ups. This process should be carried out until neither the provider nor the customer can access the information<\/li>
            2. Agree on deletion policies with your cloud provider<\/strong>. As a customer yourself, you need assurance from your provider that they will delete data within a given time period that you have predetermined and they should also provide you with proof of deletion. In the event of an error, your provider should carry out error handling to ensure that the mistake has been resolved<\/li><\/ol>\n\n\n\n

              Cloud security is a vital part of modern business. It allows you to protect your company from any external or internal security threats and attacks. Without proper cloud security, you run the risk of losing control of valuable data and information and you increase the probability of a security breach. Data<\/a> shows that the average cloud security breach can cost a company almost $4 million. This is why minimizing your cloud security mistakes is crucial to the success<\/a> of your business.<\/p>\n\n\n\n

              Key takeaways<\/h2>\n\n\n\n

              So, let\u2019s quickly recap:<\/p>\n\n\n\n