Keeping Your Data Secure in the Cloud

Keeping Your Data Secure in the Cloud

Placing your data in the cloud without any safeguards is like leaving your car unattended with the door unlocked, and keys in the ignition.  It’s not going to stay safe for long!  Many of these safeguards should also be taken if your data is not hosted in the cloud in the first place, but becomes more important when you move data into the cloud due to the multi-tenanted & sometimes public-ally accessible nature of the cloud.

No one layer of security will provide you all the protection you need, and you should use a number of safeguards to ensure your data is safe and secure.

What should I look for in my Cloud Provider?
I’ve covered this in more detail in article I wrote 2 weeks ago: Guide to Choosing the Right Cloud Provider

Established Company:
Find out how long they’ve been in business, and make sure they’ll be around to continue serving your data!

Data Jurisdiction/Location of your Data/Physical Security:
Find out where your data is actually being stored, and ensure it’s safe and secure (secure facility, proper access controls, etc). The actual jurisdiction of your data is quite important, and also the parent companies head office (i.e. if the parent company of the cloud company is based in the USA, they could still be covered under US law even if the data is not actually on US soil).

What should be doing myself to ensure my data is safe in the Cloud?

There a huge number of layers of protection/steps you can take to do this – I’ll list a few important ones here!

External Firewall:
Use a firewall external to your cloud instance, and block all ports except for the ones that need access. Further restrict these ports to source/destination ports if possible. An external firewall is more secure than a firewall running on the VM, so should be used if you have the choice.

Network Isolation:
If you are running multiple servers, and not all of them require direct internet access – you should only allow those that actually need internet access to be provided with it. The remainder of your cloud servers could be connected to each by one or more private networks. This restricts hosts from the wild west of the public internet to only servers within the private network they are running on.

Isolation of Services :
Separate different services onto their own servers, i.e. web servers, database servers, mail servers, etc – should all have their own servers. This reduces impact if any single service is vulnerable, it will only impact that service and not other services.

Use Secure Passwords!
We’ve seen servers hacked within minutes if placed on the internet without a secure password! If your password is short and easy, the it’s likely also easy to be hacked as well. Use a password with at least 8 characters, using a combination of numbers, special characters, and capitals. Also, don’t share your password over insecure means such as email, instant messaging, or other insecure means.

Brute Force Detection:
Brute force detection is the process of detecting multiple login failures, and locking that user from trying further attempts. This can be quite useful in blocking hacking attempt. Use brute force protection on both your application as well as your cloud server, and the services that run on it. We use CSF quite a bit, and has good brute force detection and blocking.

Non-Default Ports:
Where possible, use non-default ports. For example if you have a public facing SSH port, change it from something different than the default port 22. This can help protect against automated bots using brute force, or looking for vulnerabilities. Some may argue that this is just “security through obscurity”, and is not really security – however this definitely does add an additional layer of security, and it’s easy to setup!

Backups/DR Plan:
Always make sure have your own backups, and your cloud provider is also taking backups for you (or pay the small fee extra to add it to your service). Failures do and will happen, data can and will get corrupted from time to time – so backups are the lifeline to your business in an event of such a failure.

Regular Software, Application, and OS Updates:
Every month there are a huge number of vulnerabilities found across a wide range of software, web based applications, and operating systems. Make sure you have a regularly scheduled (and out of schedule update procedure for critical vulnerabilities) update cycle for software to ensure when these vulnerabilities are patched you get those installed.

Filesystem Encryption:
This can be done easily with or without the help of your cloud hosting provider, and adds an extra layer of security.

Application Firewall:
Web applications are having vulnerabilities found at an alarming rate, and the number of custom web applications that have unknown security venerabilities is huge. An extra line of defense against web application based attacks is using a web application firewall, such as mod_security. This can be used to block against a number of attacks, and protect you long enough to patch your web application.

Key Based Access:
Using key based access ensures you don’t have the issue of weak passwords, and is a much more secure way of accessing your servers than a username and password.

Your data in the cloud is only as secure as you make it!

I’ve only touched the tip of the iceberg here, there are many, many security safeguards you can take to ensure your data is safe in the cloud.

Any other recommendations?