HomeTeam BlogCloud Security: Creating a New Approach in 2015

Cloud Security: Creating a New Approach in 2015

I recently wrote an article for Cloud Computing Week UK discussing how IT teams generally approach cloud security and how we can change it for the better in 2015.

In 2014, businesses and individuals alike considered a plethora of opportunities to leverage the cloud. From iCloud for personal use to Office 365 for enterprises, there was a major shift to using online data storage and collaboration platforms. But we’ve come to learn that with opportunity also comes risk. These risks could result in potentially irrevocable damages for businesses – not only tarnishing a brand name, but also affecting the overall outlook on future technology or even the future of a company.

I recommend organizations implement different approaches for securing their cloud operations. Here are four ways to protect sensitive data from future attacks:

  1. Just-in-Time Access: With this method, access is granted on an as-needed and only-at-the-time-of-need basis. After the predetermined duration expires, the user loses access. This type of protection is most helpful when dealing with contract-based or temporary employees.
  2. Traceability: This helps overcome non-transparency concerns by reproducing and displaying the chain of events from log information indicating human operations, file transfers, and process activity as well as information from related systems – such as authentication and equipment management systems. This is traditionally achieved through the use of watermarking, auditing, and paper trails.
  3. Decentralization: This method attempts to improve speed and flexibility by reorganizing networks to increase local control and execution of a service. It also helps prevent maximum damage from data breaches by spreading data out across separate repositories.
  4. Front Door: Think of your organization as a home to your data. The primary point of entry in a home is the front door. Make sure you have a sturdy lock installed by preventing instances of accidental breach (e.g. users having too much permission, leaving passwords out in the open or too simple), social engineering, or exploiting password reset. Host training sessions for your employees on security best practices such as password design and storage.

2015 should be a year in which we do not fear the cloud or online services – it should be a year where we entrust providers like Microsoft, Amazon, Google, and Rackspace to safeguard our critical information on their platforms and fortify our efforts to guard the front door.

To read more about cloud security approaches, please visit Cloud Computing Week UK.

Learn how we can help your organization ensure a safe and seamless cloud implementation visiting our website.

42 COMMENTS

    • Agreed – JIT access that doesn’t need anyone to remember to follow up will be *key* going forward.

    • Love seeing other organizations embracing policies like JiT! The AvePoint Cloud operations team is embracing this as well when it comes to managing our Online Services.

  1. @Jim I can see how JIT can be very useful in the Military since soldiers get deployed at any given time. It’s odd that it’s not being used so much for contractors/temp workers on our installation. Maybe it will vary from base to base but I think it would be very effective.

  2. A nice overview of some of the security options available in the cloud. With some of the big name data breaches, people are freaking out about the safety of the cloud and their sensitive information.

    • Whether you’re a 50,000 person organization or a 500 person organization. This is the reality we live in today. Its nice to finally see that the “freak-out” is finally leading to proper awareness and safeguards rather than Cloud paranoia and avoidance.

    • Thanks! Stay tuned, I’ll have more Cloud content coming up during and after Ignite! We also have a Cloud Whitepaper currently going through editing.

  3. Good overview. Wondering how to get IT and security teams in the financial sector more “on board” with cloud services. Security certifications? Use cases from big-name players?

    • Each provider is a little different. If you check out Microsoft’s Trust center, they dive heavily into what certifications their staff and data centers have already achieved. Also, it varies by region, they just rolled out Online Services in Australia and are aiming to adhere to the local standards there. http://azure.microsoft.com/en-us/support/trust-center/

    • Indeed, I was just visiting our EMEA offices and I could see the radical differences in each region. France and Benelux were very excited for Cloud while Germany was much more conservative. A very similar tone to Australia last year before the big announcement of the local data centers. I think change will come in time globally!

  4. One takeaway I have from evaluating cloud solutions and using them, check what level of logging and auditing they provide. A lot of new startups leave that out, so when something happens you might not be able to find out who did what. The reverse is also true – less / no access to the backend makes things written in stone if they are accessibly logged.

    • Lots of info on security / audit coming at Ignite, stay glued to the feeds. Stop by our booth while you’re there to see how our solutions will leverage the new capabilities.

  5. Please bring info to Ignite on JiT approach. This looks very interesting and possibly very useful to our company.

  6. Can this JIT access also work together with Onedrive for Business? Or how would you recommend the combination of JIT and Onedrive to be used?

    • Great question. Right now one of the major areas of concern with ODFB and SharePoint Online is how easy it is to share content with someone.
      It’s the exact opposite of JiT access where you can share quickly and easily with anyone and the access never expires.

      One of the solution sets AvePoint is working on will allow better management of external sharing by monitoring, setting expiration and alerting on sharing events.

  7. I agree this is the year for cloud, and businesses and consumers are slowly warming up. Security is the key to its success, I like the concept of JIT. We need to balance security with ease of use, that is where it can become difficult. User demand in-and-out and easy flow. It is possible to provide both.

  8. As managing (users understanding) permissions on-prem can be difficult enough I agree with the point raised about training. This is key to ensure security in cloud and on-prem.

    In terms of watermarking assets, anyone know of the best tools out there (connected to SP) or perhaps this will be available in future versions of SP?

    • Hey Karin,

      We approach this problem from a number of areas. The first is using OOTB functionality such as IRM or Azure Rights Management. This will allow you to easily “tag” content and ensure its only opened by the relevant parties AND on the right devices if you work Intune into the mix.

      Barcoding and other features are part of information management policies in SharePoint as well but don’t quite extend outside the platform as the above features do.

      AvePoint also provides a set of solutions that can help monitor for permissions changes that fall out of policy from your existing security model. In addition to that, we do have an app in the Office 365 store https://www.avepoint.com/products/mobility-and-productivity/watermark/

  9. Excellent feedback. We ensure that our solutions are logged down to the individual action level. There’s also a lot to look forward to this year at Ignite. I can’t tell details but I think you’ll be VERY happy to hear what Microsoft has in store 😉

  10. Great topic and discussion starter. We have been using a JIT focus with our Office 365 subscription for the past two years.

  11. Good points. Yes, we do have to be much more security conscious with SharePoint 2013 App Model / REST / OData / WebAPI endpoints. The protection layer of farm WSP isn’t there when creating HTTP listener directly. Require SSL, carefully review auth tokens, run penetration test, etc.

    Scot Hilier has GREAT videos on @Ch9 about this. https://channel9.msdn.com/Events/SharePoint-Conference/2014/SPC404 I want to learn more here.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

More Stories