Principles of safe work in the cloud

7 March 2022

The most common cause of data leaks from the cloud is not software bugs or hackers, but administrators who forget to configure security or do it inaccurately. It is enough to comply with a few rules, and this will minimize the risk of such incidents, regardless of what platforms you use. One of the major flaws is the assumption that only the service provider is responsible for security.

Such giants as Microsoft, Google and Amazon are obliged to guarantee the security of their own Laas infrastructure in data centres, equipment on which devices work, but they also have to keep the software up-to-date. It is up to the users and customers to protect their own virtual devices and the applications running on them. It does not matter what type of security the service provider uses, if the user does not take care of a sufficiently high level of security.

It is important that the operator who provides the customer with cloud services gives the customer the appropriate tools so that he can adequately protect his own resources. Their implementation and management is the responsibility of the user. Another reason for security problems is the discrepancy between the user’s understanding of their resources and their security and reality. Business users believe that there are still cybercriminals ready to attack their company’s security systems and steal their data. On the other hand, somewhere in the back of my head there is a thought that this is unlikely, because why would someone want to attack my company? The reality shows that most internet criminals do not plan to attack a given company at all.

Hackers are predators who track companies susceptible to external attacks on the network, without adequate protection, and only when they find the user’s weaknesses can they launch the attack. Another problem is the increasing complexity of corporate IT systems. Many large companies use multi-cloud solutions, i.e. cloud services from different vendors, which in turn makes systems less clear and difficult to manage.

This state of affairs creates a lot of opportunities to make a lot of configuration errors, and even the customers themselves are not aware of it. About 70% of companies declare that they use multi-cloud, and analyses have shown that such solutions have been implemented by as much as 90%, i.e. about 20% of administrators have no idea what they manage, and this significantly translates into the number of errors and negligence. The situation is also not being improved by considerable competition on the services market. The giants on the market in this industry are introducing new tools, offer functions and applications on an ongoing basis.

E for Excel

  1. Responsibility and knowledge — cloud services differ both in terms of functionality and who is responsible for the safety of specific elements. When we talk about Software as a Service, it is the operator who takes care of the flow of data, files or applications. In the LaaS environment, the client has full control over the infrastructure, software, access control and authentication.
  2. Access control — “access policy” is one of the biggest problems faced by users of cloud services. Unfortunately, in about 51% of various types of organizations, cloud resources were accidentally shared outside at least once. Another serious mistake is allowing SSH connections to be established over the Internet, and this theoretically opens the way for unauthorized users to find and exploit errors in the cloud configuration.
  3. Data encryption — it is an abuse by administrators to store unencrypted data in the cloud. Such a mistake should absolutely not take place, all major cloud providers recommend data encryption and at the same time provide the appropriate tools for this. The problem arises if the customers themselves do not use it, which is a pity, because it is a very effective security option that protects data from being read even during a leak or theft of data. If it is possible, everything should be done to maintain full control over the encryption keys, although it is not always possible, but sometimes it is necessary to share them with e.g. partners.
  4. Protection of login data — sometimes it happens that also specialists in the IT industry do not pay due attention to the high level of security when logging in. When “intrusion” analysis is performed, it turns out that the “victim” was using too weak or default passwords, and this in turn opened the way for burglars to user resources. For each application or resource, you should create unique and strong passwords and remember to regularly change them to new, equally strong ones. Thanks to this, there is a good chance that during a hack of an unauthorized person, he will take over outdated passwords. It is also important to grant access and permissions to users who should have it. It is good to give up the root account for everyday work, even when it comes to administrative tasks. Systematically observe inactive user accounts and delete them if necessary.
  5. IT hygiene — mainly consists in securing the cloud environment as a multi-stage process in which security technologies are used, because in the event of an external attack, there is a good chance that the resources will not be compromised. That is why it is important that authentication is multi-step with a login and password.
  6. Transparency — Providers of the most popular cloud platforms offer tools that allow you to activate secure login and at the same time monitor any failed login attempts. In practice, you can see that many users do not activate these solutions and it is unjustified because they are fantastic tools for identifying potential attack attempts, suspicious behavior, anomalies or errors.
  7. “Shift-left” in security — is nothing more than planning and implementing security related options at the earliest stage. Often, however, it looks like a solution is implemented first, and then security tools are added to it.

All those who use the Internet, applications and programs, remember to protect your own devices and all the data we collect in them for your own safety.

Other entries

How to become a developer of computer games

How to become a developer of computer games

If you like computer science, computer games and you are creative and you are looking for your own professional path, and you do not know exactly what you want to do and where to work, I will suggest that you become a game developer. This profession will give you a...

read more
Salesforce as a sales power

Salesforce as a sales power

Salesforce is a platform that is still a market niche in Poland, although it is gaining huge popularity among foreign companies. It is also a leader among CRM solutions, and the company itself was founded in 1999 and already employs thousands of employees, the income...

read more