The fallout of a year-long pandemic has changed the outlook for numerous businesses. A report published by McKinsey suggests companies have to “get real” about a hybrid workplace.
Yet one question gnaws at IT managers and C-Suite executives. How do you protect data in the cloud?
It’s a legitimate question – and one that can only be resolved by implanting a robust cybersecurity strategy.
The most recent vulnerability discovered in Microsoft Azure’s flagship Cosmos DB database recently highlights the importance of implementing a broad range of cyber security defences.
You cannot rely solely on out-of-the-box cybersecurity measures offered by software companies. The research team (Wiz) that discovered Microsoft’s latest vulnerability reported that they could access thousands of company databases stored in Azure.
Microsoft issued a statement explaining there is no indication that the vulnerability was exploited by outside entities. That the exploit has been there for the last two years is a bit worrying!
If hackers had found the gateway, they would have the ability to read, change or delete any information stored on the database of Microsoft’s customers.
This latest flaw comes after Microsoft’s Email Exchange Server was hacked in January this year, and the PrintnightMare security flaw last month. CNN reports that a how-to-guide to exploit Microsoft’s operating system was “accidentally” published by a cybersecurity company.
What is going on?
How To Protect Data In The Microsoft Azure Cloud
Cloud security is an integral aspect of compliance. Companies that fail to implement adequate defences that protect customer data could find themselves in hot water with government regulators.
In the event of a data breach, the General Data Protection Regulations (GDPR), for example, issue fines of up to £8.7m or 2% of the company’s annual turnovers as a low-level penalty.
Ironically, the high-profile data breaches we read about in the media every week are committed by state-sponsored hackers. Or at least that’s what the hacked companies claim.
“China’s Great Firewall, the UK’s Snooper’s Charter, the US’ mass surveillance and bulk data collection — compliments of the National Security Agency (NSA) and Edward Snowden’s whistleblowing — Russia’s insidious election meddling, and countless censorship and communication blackout schemes across the Middle East are all contributing to a global surveillance state in which privacy is a luxury of the few and not a right of the many.” ~ ZDNet
Microsoft claims to have implemented “well-established response policies and processes, strong contractual commitments, and if need be, the courts” to protect your data.
On the company’s Privacy in Azure page, the software giant explains that “all government requests for your data” are directed to you. In other words, you are in control of your own data and have no obligation to share it with government agencies.
Is this why governments are sponsoring crack experts to hack the world’s leading software companies?
The Azure cloud storage platform is protected through 256-bit AES encryption as standard. However, it is the responsibility of Microsoft Azure customers to ensure the cloud configuration is implemented correctly.
Microsoft-managed keys also protect your data but Microsoft does not store these keys on their database, nor can they access them. Again the obligation lies with their customers to ensure you protect your own store keys through Azure Key Vault.
With so much of the responsibility placed on businesses rather than the software creators, it’s important to ensure your Azure setup is airtight and that you implement other strategies that enable you to protect data in the cloud.
Get Your Cloud Configuration Right!
Cloud environments are complex. They need to be in order to protect data. One of the all-important factors of adopting a hybrid workplace is ensuring your cloud configuration is correct.
One of the main causes of a data breach is because the cloud configuration has not been set up properly. This becomes even more problematic due to the various piece of hardware and software the average company uses.
Cloud API’s (application program interfaces) sit on top of your hardware so that your employees can access and use the software. If a hacker gets into your client’s software, they also get into your hardware.
Set Up Your Privacy Settings
The first thing to do whenever you download software applications or sign up to a third party company you share data with (i.e. social media platforms, payment gateways), is to set up your privacy settings.
Privacy settings give you more control over your data. You have the option (in most cases) to choose which data you share and what the third party can do with it. Under the rules of data protection laws, you have the right to decide.
This should be the rule, at least. However, you sometimes find that companies (i.e instant messaging services) do not function unless you provide the company with the relevant access (i.e your list of contacts).
Payment gateways also share more information about your mutual customers than you need. For example, when a customer purchases a product from an eCommerce store using a third-party money transfer partner like PayPal, the vendor receives full details of the persons address, telephone number and email.
Businesses that store customer data on file are advised to delete or relocate sensitive data to a storage environment which cannot be breached.
Cybersecurity experts Kaspersky recommend using specialised tools and techniques that prevent companies from seeing your personal data (e.g. social media apps).
You should determine how long third party companies keep your records on file and the type of information they can pull from your devices. We also recommend checking the configuration settings every few weeks to ensure they have not been tampered with.
Use Strong Passwords and TFA
A study undertaken by Verizon found that most data breaches are due to weak passwords. The study found that 85% of breaches involved a human action that could have been avoided.
Malicious actors use sophisticated software that can unravel weak passwords. The software is programmed to run “trial and error” tests on user accounts. Weak passwords can be cracked relatively easily.
Once a hacker has gained unauthorised access into one user account, it doesn’t take much for them to crawl your entire network.
Utilising the random-generated password function that is built into software and third-party platforms these days is the most effective way to protect data in the cloud. User-generated passwords include a random selection of letters, numbers and symbols.
The issue employers have with this method, however, is that these passwords are not memorable. You need to write them down. It’s also against cybersecurity best practices to use the same password.
If you’re using several apps that your employees go in and out of every day, using random-generated passwords can be a pain in the Arsenal.
The best option is to use a memorable phrase and convert it into an ultra-cryptic format. For example, let’s take a common expression like Cheers My Dears. In a cryptic format, this phrase looks like Ch33r5MyD3ar5.
To make it even more cryptic, you could spell the phrase backwards. That would look like this: 5ra3DyM5r33hC. Providing you use a password that you personally associate with, your password is ultra-cryptic and, therefore, un-hackable.
In addition, install two-way authentication (aka multi-factor authentication). This technology is becoming more commonplace because it identifies the location of the person attempting to log into an account and verifies the user is authorised to access the account by sending a code to their smartphone or email.
With two-factor authentication, cybercriminals cannot access an account without a code. Even if they crack the password, location and code need to be verified.
Avoid Storing Sensitive Information
Companies that have moved to the cloud typically refrain from moving all their data. According to IBM, the majority only store 20% of their data in the cloud.
In accordance with cybersecurity strategies, this is a sensible ploy. If you want to protect customers data from being stolen from the cloud, don’t put it there in the first place.
However, storing sensitive data on in-house servers can also have its downsides. If the server malfunctions and you lose it, there may not be any way to recover it.
To get around this potential problem, manage your data with regular backups and ensure you have an airtight disaster recovery plan in place. Our experienced IT support professionals can help you create a disaster recovery plan.
Protect Data in the Cloud With Anti-Malware Software
Anti-virus and anti-spy software is a cost-effective strategy for businesses to protect data in the cloud. They add another layer of protection to your network and devices and require very little intervention from IT members.
Anti-malware tools are programmed to detect existing codes that are known to be malicious. As a consequence, the majority of cyberattacks can be captured and isolated at the source.
The majority of cyberattacks embed malicious code in links or email attachments. These codes are typically programmed by state-sponsored actors at the top of their game. But once they reach the average hacker, cybersecurity companies already have the software to prevent the average hacker from breaching your business network.
IT security companies update their software periodically to ensure it is effective against the latest malicious codes in circulation. Updates are automated by the security provider. This avoids downtime and ensures that the updates are performed.
Whilst there are plenty of antivirus software options to choose from, there are also some fake companies. Some software is also inadequate. When selecting anti-virus and anti-spyware tools, stick with a reputable company or speak to our IT experts in London for advice.
Install Updates to Your Operating System
Whenever software is launched on to the market, it will inevitably develop a vulnerability at some point. Hackers somehow find a code that exploits a gateway.
The only way for software vendors to avoid software breaches is to issue security patches on an update. If you have a smartphone, tablet or computer that your operating system and other bits of software require regular updates.
Updates are typically issued to fix bugs that could leave your device exposed. If you ignore the update and fail to patch over a potential gateway, hackers can access your network. But having to update the patches manually every time becomes disruptive and annoying.
Automated updates are a godsend. For companies that use multiple apps and tools, activating security updates can be a burden to the productivity of your workforce. You also have to rely on all your employees performing the update. That’s not a good strategy!
Companies that fail to update software once a new security patch has been released is held responsible for any subsequent data breach. As a result, you are more likely to incur a GDPR penalty due to weak security or an avoidable mistake.
The most effective option to remain compliant with GDPR and protect data in the cloud is to adopt a patch management service. This type of IT support solution ensures that every single app, software, operating system and device on your network is updated automatically.
Patch management services not only encompass a full suite of security measures but also means you avoid losing productivity. Downtime, if any, is limited.
Cloud IT Support in London
Behind every effective cybersecurity strategy is an experienced IT team with the skills and knowledge to protect data in the cloud.
The cloud technologies we use encrypts data using military-grade AES (Advanced Encryption Standard). Together with several other security solutions we are well-equipped to provide you with maximum layers of security.
In addition, we appreciate that cloud security is a shared responsibility between the cloud service provider (us) and our clients (you). You can, therefore, rest assured that we have your best interests at heart.
Cloud computing is also a specialised area of IT. As we mentioned above, it involves complex configuration protocols – and if you don’t get your cloud configuration right, you open yourself up to a potential data breach.
For more information and advice about how to protect data in the cloud, contact our cloud support experts in London.