Cloud computing has moved businesses away from traditional IT processes. This has created new ways to store, access, share, protect and manage your services and data more effectively.
Working in the Cloud allows you to subscribe to services such as infrastructure, servers, data storage, software, databases and analytics over the Internet (‘the cloud’) for a set monthly fee. This gives you greater flexibility and scalability to collaborate digitally from any location. You minimise your upfront spend and give your team the mobility to work from anywhere, easily. Cloud computing also ensures business continuity when unforeseen events arise that limit access or ability to use services at your physical office location.
The benefits are obvious, but are you aware of cloud services security risks? ‘Moving to the cloud’ does not shield you from cyber risks. This article is designed to give you an overview of the risks of cloud computing, and steps you can take to protect your team and business.
Does cloud computing increase my cyber risk?
Online computing services, unless managed properly, can increase your exposure to cyber threats in three key ways:
- increased ability to access to your business network and resources remotely
- reliance on cloud service providers to ensure their systems and interfaces are cyber safe; and
- a general misconception that data stored in the cloud is safe.
Remote access to your network and resources - what you need to be aware of
In moving away from the traditional model of a central work location that uses secured (ie, known) on-premises services and devices, you potentially introduce new security risks. These can occur via online entry points to your network, data and apps by malicious actors and BYO or unknown devices.
Detecting and protecting your resources against malicious attacks is the responsibility of your internal IT team or IT Provider.
For cloud services you subscribe to, it’s the responsibility of third-party providers to ensure their systems and client interfaces are kept cyber safe, however the degree and commitment to which this happens varies widely.
Staying cyber safe requires a thorough understanding and identification of all online entry points to your business, combined with careful, ongoing management of your internal resources and cloud subscriptions.
It's all about who you trust!
If you operate with a hybrid team of onsite and remote workers and subscribe to cloud-based services by external providers, you can no longer ‘trust’ every device or person who seeks to access your infrastructure and data.
To address the risks of cloud computing, you need to introduce strict access controls, commonly referred to as ‘zero trust’, to ensure every person and device must request permission to access your online systems and data – whether on-premises or in the cloud.
The zero-trust model operates on three levels:
- Identity trust: Requires a person to log in with their username and password.
- Device trust: Once identity trust has been established, multifactor authentication (MFA) ensures a device is known to your organisation and deemed secure before access is granted. This step stops anyone who knows your login and password, or has stolen them, from getting to your online accounts and resources. MFA also gives you the added benefit of knowing instantly if an unknown or malicious attempt is being made to access your online resources. If the request wasn’t generated by you – decline the request, and immediately change your passwords.
- Network trust: allows you to control what IP addresses can be accessed by employees across your business, wherever they work. Not only does it give you the ability to restrict or deny access to specific resources across your network, but it also enables you to mandate remote access to your network through a secured company VPN (virtual private network) with added MFA protection.
Don’t rely on third party cloud security
A general misconception across business is the belief that third party providers of cloud services, software or data storage have the responsibility, commitment and necessary security measures in place to block cyber threats.
Although third party cloud security providers such as Microsoft and Apple look to develop and optimise their products and services with the highest security measures in mind, breaches have still occurred to their systems due to the fast, intelligent, quick, evolving nature of cyberattacks.
Cyber security is not something that can be treated lightly. It’s important you always understand if and what level of security is being offered to you by a cloud services provider. It’s not solely up to the provider, you need to understand what responsibility you have in protecting your business also.
How to protect your business from cyber risks
Remaining cyber safe with cloud computing requires commitment, technical insight and depth of skills, together with layered security measures and transparent, good working relationships with third party providers. You need to:
- Implement vital security measures, such as ‘zero trust’ controls and multifactor authentication, to help detect and protect your team from cyber threats and malicious access.
- Thoroughly understand what security measures are being offered by third party cloud providers – never assume you have it covered without investigating this.
- Back up your data! Whatever work model you use, on-premises, ‘in the cloud’ or a hybrid mix of both, you must have a secure, tested and proven backup solution to save copies of your data. This is imperative for your business continuity! Whilst a provider is responsible for managing the security of their platforms and services to protect your data “at rest and in transit” their responsibility does not extend to guaranteeing your data should it get accidentally deleted or stolen.
- Microsoft is very transparent in outlining the dual responsibilities when subscribing to their cloud services. You can read more about responsibilities for Cloud Sustainability here and their Data Privacy Principles here
An IT partner you can trust who can optimise your protection and mitigate your risk
Managing your cloud infrastructure is not a case of set and forget. As is highlighted in this article there are many areas of ‘the cloud’ that need to be continually monitored and optimised to keep your business safe and running efficiently.
Whether you are a CEO, IT Manager or Office Manager, an IT Managed Service Provider such as itro can work in partnership with you to ensure your cloud environment is structured correctly and operating efficiently. By implementing the ACSC Essential Eight framework, including MFA and zero trust measures, itro takes a proactive approach to managing the risks of cloud computing and can input as much or as little as you need. Get in touch with one our experts for a complimentary chat to check your cloud strategy is protecting your business or firm and covering off all bases when it comes to cyber security.