The cloud has a dark secret. Because it’s such a paradigm-shifting solution, even big companies have become overconfident about its power, leaving gaping holes in their security strategy.
For the engineers at your company, the cloud puts certain parts of their job on near-autopilot while at the same time cutting costs. With hours and dollars freed up, they quickly set about tackling new projects or polishing off technical debt, helping their company grow.
Migrating securely to the cloud
But as your company invests in the cloud, it may move too quickly without asking the right questions. That leaves room for major vulnerabilities. Knowing the right questions to ask ahead of time can ensure you don’t leave a critical part of your security strategy unconsidered.
The first question you’ll need to ask is who has control and responsibility over your stack. If you’re dealing with an infrastructure as service (IaaS) provider, the answer is usually you and your admins. The software as a service (SaaS) route might feel safer, because the vendor will purport to take care of security, saving you from needing your own intrusion prevention and detection systems.
But SaaS solutions aren’t a magic pill, and treating them like magic can leave you open to a major breach.
Be sure to investigate exactly which security measures your SaaS provider has in place, especially if they’re storing or transmitting mission-critical data. Your SaaS provider should be ready to furnish audit results as well as compliance with regulatory standards like PCI, SOC 2, HIPAA, SSAE16, and ISO standards.
It’s also a good idea to ask to meet with the cloud provider’s security experts; ask them to take you along for a deep-dive on their security strategy and show you exactly how your data will be protected.
Your data at home in the cloud
Authentication is the first line of defense against social engineering, keylogging, and all other hole-in-the-fence attacks. Cloud providers typically offer single-factor authentication: one username and one password per user. Forward-thinking cloud providers today are using multi-factor authentication, which often uses SMS or another channel to confirm a user’s identity in two or more ways.
Additional layers of defense include encryption and data loss prevention. Cloud-based assets should be monitored and protected wherever they exist and whatever state they’re in. Encryption is important for information at rest on your local servers, as well as in flight. Data loss prevention within a cloud environment helps ensure that sensitive data stays within its intended application.
The next phase of visibility and control involves next-generation firewalls, which are designed to look beyond IP addresses, ports, and protocols to enable strong threat detection.
Most cloud vendors claim to be secure, but in a worst-case scenario, you only learn their true failure points when disaster strikes. Asking tough questions before you migrate your data will ensure you figure out which cloud providers actually have their feet on the ground.
This article was produced on behalf of CDW by the Quartz marketing team and not by the Quartz editorial staff.