Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • Creating Cloud Security Policies that Work
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Creating Cloud Security Policies that Work

5 years ago Tripwire Guest Authors
Creating Cloud Security Policies that Work

Now that the ongoing worldwide trend toward “going digital” has been accelerated by COVID-19, taking extra precautions to protect your organization’s data, communications and information assets is more important than ever.

Of course, there are many traditional and emerging ways to protect and secure your business: 

  • Employing cybersecurity analysts, auditors or specialists 
  • Implementing a comprehensive communications archiving system 
  • Considering cyber liability insurance   
  • Building a culture of awareness and educating employees on common social engineering tactics used by criminals such as email phishing scams.

However, the chief focus of this discussion will be on protecting your organization by creating and implementing cloud security policies or by updating and fortifying existing ones.

This is essential because, as reported in CIO, nearly all enterprises (96%) use cloud computing in some capacity, with a strong majority (81%) now employing multi-cloud scenarios and strategies.

“Cloud security refers broadly to measures undertaken to protect digital assets and data stored online via cloud services providers,” says Investopedia, which notes that common threats to cloud security include “data breaches, data loss, account hijacking, service traffic hijacking, insecure application program interfaces (APIs), poor choice of cloud storage providers and shared technology that can compromise cloud security.”

Cloud Security Challenges & Concerns

The good news is that the major cloud computing providers (including the Big Three of Amazon, Google and Microsoft’s Azure) invest heavily in providing cloud security to their users. What is crucial to understand, however, is that even though cloud computing itself is considered to be relatively safe, significant risk does come into play in terms of how you, the user, implement safety protocols and precautions on your side of the cloud computing experience.

More on this in a moment, but first, here is a quick review from Cloud Security Alliance and Tripwire on some of the top cloud security challenges:

  • Data breaches
  • Inadequate change control
  • Lack of cloud security architecture and strategy
  • Hijacking of accounts
  • Insider threats
  • Abuse of cloud services
  • Security architecture that can withstand cyber attacks
  • Inadequate change control
  • GDPR compliance
  • Accountability
  • Data ownership
  • APIs

Why You Need a Cloud Security Policy

There are many complex explanations out there that aim to answer the question: Why do I need a cloud security policy? Here’s a simplified answer in four bullet points:   

  • Businesses derive many benefits from cloud computing.
  • However, doing so comes with certain vulnerabilities.
  • Criminals are always looking to exploit those vulnerabilities.
  • When they succeed, the result can be anywhere from annoying to disruptive to devastating.

Perhaps the most important reason to implement and update cloud security policies for your organization is connected to a central tenet of cloud security known as the “shared responsibility model.”

Operationally speaking, security is broken into two components:

  • Security “of” the cloud
  • Security “in” the cloud

Security “of” the cloud

Cloud service providers (CSPs) are responsible for this. As explained in this article on the shared responsibility model: “CSPs have the responsibility to ensure that their infrastructure is free from vulnerabilities. They’re also responsible for the physical security of the cloud service and ensuring that unauthorized physical access to the hardware or software is prevented, as well as disaster and incident response.” And doing so doesn’t come cheap. Microsoft reportedly spends over $1 billion each year on security protections, including research and development.  

Security “in” the cloud

This is your responsibility. OK, perhaps not you personally, but definitely your organization. According to an informative Wall Street Journal article, “Gartner Inc. estimates that up to 95% of cloud breaches occur due to human errors such as configuration mistakes, and the research firm expects this trend to continue.”

Connecting with a cloud security provider has many advantages, but can also be an extremely complex proposition. According to the article “Human Error Often the Culprit in Cloud Data Breaches,” Amazon Web Services has a 130-page instruction guide for how to operate Amazon Simple Storage Service (Amazon S3). The cloud user’s responsibility necessitates ongoing vigilance around password security, internal and external sharing of data, third-party access and much more. For many companies and organizations, cloud security also comes with regulatory requirements (for example: information access rules set forth HIPAA, GDPR, Sarbanes-Oxley, etc.).  

How to Create a Cloud Security Policy

For obvious reasons, creating a cloud security policy is an extremely complex undertaking. This is not a situation where you task the new guy in IT with whipping something together by end of day Friday. You’ll need to engage senior leadership, IT leadership and perhaps even outside consulting firepower to create a comprehensive policy that truly protects your organization from risk.

Here is an overview of some of the key elements of creating a cloud security policy from TechTarget:

  • Seek approval from senior leadership to develop a cloud security policy.
  • Establish a project plan and goals for the project.
  • Select a team with the right people to draft the policy.
  • Work with management while drafting the policy to make sure you are covering all the important issues.
  • Consult with your legal team and human resources throughout the writing process. Make sure they review the policy and offer constructive feedback.
  • Ask for an internal or IT review of the policy.
  • Before submitting it for senior leadership approval, make sure everyone who should see the policy has read it and provided necessary feedback.
  • Submit the policy to senior leadership and secure their approval.
  • Once approved, distribute the policy to employees.
  • Determine a review policy review process.
  • Schedule annual reviews of the policy to ensure it’s up to date.

Global IT services provider PhoenixNAP offers a simplified look at several key aspects that must be addressed in a cloud security policy. These include:

  • Data types that can and cannot move to the cloud
  • How teams address the risks for each data type
  • Who makes decisions about shifting workloads to the cloud
  • Who is authorized to access or migrate the data
  • Regulation terms and current compliance status
  • Proper responses to threats, hacking attempts and data breaches
  • Rules surrounding risk prioritization

Here are a couple of other helpful resources when it comes to developing an effective cloud security policy:

  • “How to Create a Cloud Security Policy, Step by Step” — a helpful explainer piece from technology information provider TechTarget
  • Essential Guide to Cloud Security — a comprehensive review of key terms and definitions, list of risks and threats, challenges, benefits, cloud security standards and best practices (plus a template) from Smartsheet

Cloud Security Policy | Top Takeaways

Digital Guardian provides a list of 50 cloud-based security tips. We’ve curated a few of the most useful ones to help with your cloud security policy journey:

  • Limit and protect attack surfaces.
  • Focus on your most sensitive data.
  • Build ‘security-first’ into your overall cloud strategy.
  • Know what’s covered in your security solution.
  • Provide training within your organization.
  • Protect against employee mishaps, mistakes and misbehavior.
  • Stay up to date on the latest security challenges.

Finally, being transparent about your rigorous cloud security policies and protocols can be important in providing added peace of mind to customers or other organizations with which you do business.

About the Author: Michelle Moore, Ph.D., is academic director and professor of practice for the University of San Diego’s innovative online Master of Science in Cyber Security Operations and Leadership program. She is also a researcher and author with over two decades of private-sector and government experience as a cybersecurity expert.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

The post ” Creating Cloud Security Policies that Work” appeared first on TripWire

Source:TripWire – Tripwire Guest Authors

Tags: Cloud, Compliance, COVID-19, Critical Severity, Exploit, Google, Microsoft, Phishing, TripWire

Continue Reading

Previous Nintendo Sues Video-Game Pirates
Next Attention! FluBot Android Banking Malware Spreads Quickly Across Europe

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery

5 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk

7 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities

8 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

How Samsung Knox Helps Stop Your Network Security Breach

10 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

12 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Data Breach
  • Vulnerabilities

Claude Opus 4.6 Finds 500+ High-Severity Flaws Across Major Open-Source Libraries

15 hours ago [email protected] (The Hacker News)

Recent Posts

  • China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery
  • CISA Orders Removal of Unsupported Edge Devices to Reduce Federal Network Risk
  • Asian State-Backed Group TGR-STA-1030 Breaches 70 Government, Infrastructure Entities
  • How Samsung Knox Helps Stop Your Network Security Breach
  • Compromised dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT