Not sure what security features your cloud provider should have? Here’s your guide.
By Vineet Jain
The Merriam-Webster Dictionary defines “common sense” as “sound and prudent judgment based on a simple perception of the situation or facts.” Cloud security is common sense. Yet many adopters make assumptions about cloud service provider (CSP) security that are anything but sound or prudent. One common assumption, for example, is that a CSP will automatically take care of everything related to security, including monitoring breaches and disaster recovery. Another is that hackers aren’t interested in stealing data from SMBs.
The facts belie these assumptions. Hackers steal the most data from within servers and look for easy targets, according to the 2011 Data Breach Investigations Report, a study by the Verizon RISK Team with cooperation from the U.S. Secret Service and the Dutch High Tech Crime Unit. The report also found that 96 percent of breaches in 2010 could have been prevented by simple or intermediate controls. Hackers target SMBs precisely because their internal servers or CSPs lack such controls.
Nevertheless, IT solution providers can find an affordable CSP with a multidimensional and comprehensive approach to data security and retention. Seek out a CSP that has at least the following built-in protections listed on its website:
Authentication Look for flexible authentication policies that delegate authentication to external directory services. The server should authenticate each username, password, and company-specific domain. Passwords ought to be encrypted on the wire (during transmission) as well as at rest (when backed up).
Encryption SSL encryption is commonly used for access to cloud content. To ensure data is fully protected, however, it should also be encrypted at rest. Every access request ought to be accompanied by tamper-proof user identity credentials, even for offline sessions.
Change management All events that make changes to the files and folders in the domain should be monitored. You should be able to configure automatic email notification for audited events in secure folders.
Proactive network security The CSP should monitor network activity, retain all log files, and analyze them in real time. All unsuccessful login attempts should be detected and logged for monitoring by the administrator.
Good physical security Locked and guarded co-location facilities with strong physical access controls and video surveillance ought to be guaranteed, as well as high-end firewalls and routers.
In addition to providing underlying security technology, the CSP should offer the high level of granularity needed for your own monitoring efforts. You should be able to provide read/write/delete access to users and groups for files and folders. Your CSP ought to give you the ability to see every new client that joins an account, as well as how often clients use and change their passwords, password strength, who is connecting and when, and peaks in download activity. That way, you can gather the information you need to derive regular usage patterns—and find exceptions to those patterns that might indicate breaches.
Remember that despite your best efforts, breaches and intrusions may happen. Solid security should not be just a feature of a CSP, but a fundamental requirement. Your CSP should also give you the ability to administer your own detection plan. Only then will you have a complete prevention system. It’s just common sense.
VINEET JAIN is co-founder and CEO of Egnyte, a provider of hybrid cloud file server solutions in Mountain View, Calif. Prior to Egnyte, Jain founded and successfully built Valdero, a supply chain software solution company.
