Cybersecurity Considerations for Cloud Software
Many organizations use multiple cloud-based software providers for their various applications and functions. Having multiple cloud providers means more user permissions, unique data transfers and customized system configurations. In many cases, there is never a clear delineation of who is responsible for what (monitoring backups, patching the system, etc.), which can lead to data loss or unsecure systems. Users of cloud providers should be aware of the more significant complexities and cybersecurity considerations for their cloud software.
User permissions, also referred to as logical security, ensure the right individuals have the right access for their role in the organization. The cloud provider and the customer should understand who grants and revokes that access.
Cloud systems complicate logical security because of the thousands of user permissions they could potentially create. Revoking user permissions for terminations and reviewing access permissions for active employees on at least an annual basis are essential to cybersecurity, as is defining who should be responsible for performing this task. Failing to act quickly when there is a termination or logical security issue exposes data to unauthorized changes or destruction.
How prepared is your organization to protect your data from criminals? Find out by taking our 2-minute cybersecurity assessment.
Many companies are using a hybrid approach to data storage – private, on-premise servers and public cloud storage solutions. A company’s data systems need to be able to securely “talk” to one another to protect the transfer of information among the data centers from unauthorized access or disruption. This data transmission should always be through an encrypted channel such as “https://.”
Because many cloud providers have multiple locations, companies typically do not know where their data resides and thus may have little knowledge of the level of physical security surrounding the cloud-based servers. Information security teams also need protocols and controls in place so that each data transfer scenario is adequately protected and includes detective controls to alert management of any suspicious activity or control failure.
Cloud-based system misconfiguration is complicated to address because there are likely three parties involved with the user access that could disrupt the system – the company itself, the hosted data center where the servers reside and the third-party cloud provider. A company needs both internal controls for system configuration and an understanding of the hosted data center and third-party controls over its server and application configuration. Controls ensure that the appropriate steps are taken to secure any data that could potentially be compromised by a configuration issue and that customers are appropriately notified of a security incident, if applicable. Again, it is important to define who is responsible for reviewing the change, authorizing the change and making the change in the configuration.
Solutions on the Horizon
The trend toward using multiple cloud providers doesn’t appear to be slowing down. Any customer looking to use a cloud provider should always ask for a SSAE 18 (SOC 1 or SOC 2) Type II report, which will define the controls the cloud provider has in place and the responsibilities of the customer in using that cloud provider. The contracts with cloud providers should also clearly delineate responsibilities between the cloud provider, the hosted data center, if any, and the customer.