I recently wrote an article for Cloud Computing Week UK discussing how IT teams generally approach cloud security and how we can change it for the better in 2015.
In 2014, businesses and individuals alike considered a plethora of opportunities to leverage the cloud. From iCloud for personal use to Office 365 for enterprises, there was a major shift to using online data storage and collaboration platforms. But we’ve come to learn that with opportunity also comes risk. These risks could result in potentially irrevocable damages for businesses – not only tarnishing a brand name, but also affecting the overall outlook on future technology or even the future of a company.
I recommend organizations implement different approaches for securing their cloud operations. Here are four ways to protect sensitive data from future attacks:
- Just-in-Time Access: With this method, access is granted on an as-needed and only-at-the-time-of-need basis. After the predetermined duration expires, the user loses access. This type of protection is most helpful when dealing with contract-based or temporary employees.
- Traceability: This helps overcome non-transparency concerns by reproducing and displaying the chain of events from log information indicating human operations, file transfers, and process activity as well as information from related systems – such as authentication and equipment management systems. This is traditionally achieved through the use of watermarking, auditing, and paper trails.
- Decentralization: This method attempts to improve speed and flexibility by reorganizing networks to increase local control and execution of a service. It also helps prevent maximum damage from data breaches by spreading data out across separate repositories.
- Front Door: Think of your organization as a home to your data. The primary point of entry in a home is the front door. Make sure you have a sturdy lock installed by preventing instances of accidental breach (e.g. users having too much permission, leaving passwords out in the open or too simple), social engineering, or exploiting password reset. Host training sessions for your employees on security best practices such as password design and storage.
2015 should be a year in which we do not fear the cloud or online services – it should be a year where we entrust providers like Microsoft, Amazon, Google, and Rackspace to safeguard our critical information on their platforms and fortify our efforts to guard the front door.
To read more about cloud security approaches, please visit Cloud Computing Week UK.
Learn how we can help your organization ensure a safe and seamless cloud implementation visiting our website.
JiT access looks to be becoming a major trend for 2015/2016.
Agreed – JIT access that doesn’t need anyone to remember to follow up will be *key* going forward.
At EDS we used this method all the time in support of the Military.
I’m looking to implement this for our firm.
Security is the topic of the day at Macy’s. Security in the cloud is of major concern. Building this trust with the big providers will be key.
Love seeing other organizations embracing policies like JiT! The AvePoint Cloud operations team is embracing this as well when it comes to managing our Online Services.
@Jim I can see how JIT can be very useful in the Military since soldiers get deployed at any given time. It’s odd that it’s not being used so much for contractors/temp workers on our installation. Maybe it will vary from base to base but I think it would be very effective.
A nice overview of some of the security options available in the cloud. With some of the big name data breaches, people are freaking out about the safety of the cloud and their sensitive information.
Whether you’re a 50,000 person organization or a 500 person organization. This is the reality we live in today. Its nice to finally see that the “freak-out” is finally leading to proper awareness and safeguards rather than Cloud paranoia and avoidance.
Thank for the post. This is an informative overview.
Thanks! Stay tuned, I’ll have more Cloud content coming up during and after Ignite! We also have a Cloud Whitepaper currently going through editing.
Will the whitepaper be posted in the blogs? I do not want to miss it.
Good overview. Wondering how to get IT and security teams in the financial sector more “on board” with cloud services. Security certifications? Use cases from big-name players?
Each provider is a little different. If you check out Microsoft’s Trust center, they dive heavily into what certifications their staff and data centers have already achieved. Also, it varies by region, they just rolled out Online Services in Australia and are aiming to adhere to the local standards there. http://azure.microsoft.com/en-us/support/trust-center/
Thanks for your good overview.
But Microsoft will deploy this year many new security and compliance features. As an german based consultant, we are waiting for many of them.
Indeed, I was just visiting our EMEA offices and I could see the radical differences in each region. France and Benelux were very excited for Cloud while Germany was much more conservative. A very similar tone to Australia last year before the big announcement of the local data centers. I think change will come in time globally!
One takeaway I have from evaluating cloud solutions and using them, check what level of logging and auditing they provide. A lot of new startups leave that out, so when something happens you might not be able to find out who did what. The reverse is also true – less / no access to the backend makes things written in stone if they are accessibly logged.
Thanks for the post. Good info!
Nicely written summary! Thanks!
Will there be some info on this at #MSIgnite this May?
Lots of info on security / audit coming at Ignite, stay glued to the feeds. Stop by our booth while you’re there to see how our solutions will leverage the new capabilities.
Please bring info to Ignite on JiT approach. This looks very interesting and possibly very useful to our company.
Would love to talk to you @ Ignite, swing by the booth!
Nice article, would like more info!
So perhaps some links on AvePoint Tools that take us there?
Hey Ralph! Check out AvePoint Compliance Guardian Online. It’s a part of our AvePoint Online Services platform and helps with website as well as Office 365 compliance. You can learn more and access a free trial here:
https://www.avepoint.com/products/office-365-online-services/website-and-office-365-compliance/
Enjoyed the post. Thank you for sharing
Can this JIT access also work together with Onedrive for Business? Or how would you recommend the combination of JIT and Onedrive to be used?
Great question. Right now one of the major areas of concern with ODFB and SharePoint Online is how easy it is to share content with someone.
It’s the exact opposite of JiT access where you can share quickly and easily with anyone and the access never expires.
One of the solution sets AvePoint is working on will allow better management of external sharing by monitoring, setting expiration and alerting on sharing events.
I agree this is the year for cloud, and businesses and consumers are slowly warming up. Security is the key to its success, I like the concept of JIT. We need to balance security with ease of use, that is where it can become difficult. User demand in-and-out and easy flow. It is possible to provide both.
Nice article. Good read.
Thanks for this post! Really useful information!
As managing (users understanding) permissions on-prem can be difficult enough I agree with the point raised about training. This is key to ensure security in cloud and on-prem.
In terms of watermarking assets, anyone know of the best tools out there (connected to SP) or perhaps this will be available in future versions of SP?
Hey Karin,
We approach this problem from a number of areas. The first is using OOTB functionality such as IRM or Azure Rights Management. This will allow you to easily “tag” content and ensure its only opened by the relevant parties AND on the right devices if you work Intune into the mix.
Barcoding and other features are part of information management policies in SharePoint as well but don’t quite extend outside the platform as the above features do.
AvePoint also provides a set of solutions that can help monitor for permissions changes that fall out of policy from your existing security model. In addition to that, we do have an app in the Office 365 store https://www.avepoint.com/products/mobility-and-productivity/watermark/
Excellent feedback. We ensure that our solutions are logged down to the individual action level. There’s also a lot to look forward to this year at Ignite. I can’t tell details but I think you’ll be VERY happy to hear what Microsoft has in store 😉
Great topic and discussion starter. We have been using a JIT focus with our Office 365 subscription for the past two years.
Cloud security is a big topic for us, we have discussed methods about truly obtaining this.
Good points. Yes, we do have to be much more security conscious with SharePoint 2013 App Model / REST / OData / WebAPI endpoints. The protection layer of farm WSP isn’t there when creating HTTP listener directly. Require SSL, carefully review auth tokens, run penetration test, etc.
Scot Hilier has GREAT videos on @Ch9 about this. https://channel9.msdn.com/Events/SharePoint-Conference/2014/SPC404 I want to learn more here.
Good info by author and comments.
Very Informative!
Cool
Very concise post. Will have to bring this up at my next InfoSec meeting.