Security is one of the most prominent things that cloud engineers need to take care of. Organizations move their applications and data to the cloud to reap the benefits of productivity against significant concerns about compliance and security. Security in the cloud is not the same as security in the corporate data center. Different rules and thinking apply when securing an infrastructure over which one has no real physical control.
When leveraging cloud services, enterprises need to evaluate several key factors, including:
Many security professionals are highly skeptical about how secure cloud-based services and infrastructure are. In this post, we will discuss some best practices and guidelines that can be used to securely your cloud environment.
End-to-end Encryption of data in transition
All interaction with servers should happen over SSL transmission (TLS 1.2) to ensure the highest level of security. The SSL should terminate only within the cloud service provider network.
Encryption for data at rest
Encryption of sensitive data should be enabled at rest, not only when data is transmitted over a network. This is the only way you can confidently comply with privacy policies, regulatory requirements and contractual obligations for handling sensitive data. Data stored in disks in cloud storage should be encrypted using AES-256, and the encryption keys should themselves should be encrypted with a regularly rotated set of master keys. Ideally, your cloud service provider should also provide field-level encryption. Customers should be able to specify the fields they want to encrypt (e.g., credit card number, SSN, CPF, etc.).
Rigorous and Continuous Vulnerability testing
The cloud service provider should employ industry-leading vulnerability and incident response tools. For example, solutions from these incident response tools enable fully automated security assessments that can test for system weaknesses and dramatically shorten the time between critical security audits from yearly or quarterly, to monthly, weekly, or even daily. You can decide how often a vulnerability assessment is required, varying from device to device and from network to network. Scans can be scheduled or performed on demand.
Defined enforced data deletion policy
After a customer’s data retention period (as specified in a customer contract) has ended, that customer’s data should be programmatically deleted.
Protective layers for user-level data security
The cloud service should provide role-based access control (RBAC) features to allow customers to set user-specific access and editing permissions for their data. This system should allow for fine-grained, access control-based, enforced segregation of duties within an organization to maintain compliance with internal and external data security standards.
Rigorous compliance certification
The two most important certifications are:
Hope this helps. Stay tuned to RightCloud Blog for more such information.