Cloud Data and Six Security Issues

Analysts recommend that enterprises should first develop a data security plan that addresses six security issues. Failure to do so, they say, could add cost and complexity to the adoption of cloud computing without addressing the fundamental issues of data privacy and long-term security and resiliency.

1. Breach notification and data residency

Not all data requires equal protection, so businesses should categorize data intended for cloud storage and identify any compliance requirements in relation to data breach notification or if data may not be stored in other jurisdictions.

2. Data management at rest

Businesses should ask specific questions to determine the cloud service provider’s (CSP's) data storage life cycle and security policy. Businesses should find out if:

2.1 Multitenant storage is being used, and if it is, find out what separation mechanism is being used between tenants.

2.2 Mechanisms such as tagging are used to prevent data being replicated to specific countries or regions.

2.3 Storage used for archive and backup is encrypted and if the key management strategy include a strong identity and access management policy to restrict access within certain jurisdictions.

3. Data protection in motion

As a minimum requirement, Gartner recommends that businesses ensure that the CSP will support secure communication protocols such as SSL/TLS for browser access or VPN-based connections for system access for protected access to their services.

The research note says that businesses always encrypt sensitive data in motion to the cloud, but if data is unencrypted while in use or storage, it will be incumbent on the enterprise to mitigate against data breaches.

4. Encryption key management

Enterprises should always aim to manage the encryption keys, but if they are managed by a

cloud encryption provider, Gartner says they must ensure access management controls are in place that will satisfy breach notification requirements and data residency.

If keys are managed by the CSP, then businesses should require hardware-based key management systems within a tightly defined and managed set of key management processes.

When keys are managed or available in the cloud, Gartner says it is imperative that the vendor provides tight control and monitoring of potential snapshots of live workloads to prevent the risk of analysing

the memory contents to obtain the key.

5. Access controls

The enterprise should demand that the encryption provider offer adequate user access and administrative controls, stronger authentication alternatives such as two-factor authentication, management of access permissions, and separation of administrative duties such as security, network and maintenance. Businesses should also require:

5.1 Logging of all user and administrator access to cloud resources, and provide these logs to the enterprise in a format suitable for log management or security information and event management systems.

5.2 The CSP to restrict access to sensitive system management tools that might "snapshot" a live workload, perform data migration, or back up and recover data.

5.3 That images captured by migration or snapshotting tools are treated with the same security as other sensitive enterprise data.

6. Longterm resiliency the encryption system

Gartner recommends that businesses understand the impact on applications and database indexing, searching and sorting. They should pay specific attention to advanced searching capabilities, such as substring matching functions and wildcarding such as "contains" or "ends with".

How to Check If Your Accounts Have Been Hacked

Every few weeks brings another report of email and other personal account information being stolen from a major corporation. Last month a massive viral botnet was discovered stealing the info of over 2 million accounts from Facebook, Google and Yahoo. And the month before that, the details of a whopping 152 million accounts were stolen from Adobe. This may leave you wondering if one of your many accounts across the internet has been exposed, but how do you tell?

There are a slew of sites out there that consolidate the publicly available details from all the major hacks and let you search to see if your email is among them. Some are more useful than others, and some may simply be fronts for email harvesting services, so you need to be careful which you use. Open in your browser www.haveibeenpwned.com, tells you whether your information has been stolen, where the hack occurred and which of your personal details were compromised (e.g., user name, password, password hints, etc.).

So what do you do when you find one of your accounts has been compromised? It’s time to create a new password and I don’t mean your birthday, pet’s name or the word “password.” You need your password to be smart, but not so complex you forget it.

Try for at least 8 characters (the longer the better), with a mixture of upper and lower-case letters, numbers and, if the site or service allows, special characters, such as “!,” “#” and “?.” It should be something you can remember easily. A long sentence works well when you take the first letter of each word and then substitute the vowels for numbers or symbols.

For example: The quick brown fox jumped inside the orange box and slept = Tqbfj1t0b&s

We also recommend creating a different password for every site and using a password manager program to keep track of them all. There are both browser password managers and app-based services.

And remember that when it comes to setting up new passwords, it’s smart to lie when filling out password security questions. Most of the questions have answers that can be easily discovered by basic Google searches about you.

You can never be too careful with your privacy on the Internet. For further steps you can take, check out our 11 Simple Ways To Protect Your Privacy.