Cloud security – pay attention to your data

For many years, one of the biggest objections to cloud technology adoption was security risk. Today of course we know that cloud offers the highest levels of security, and so this is no longer a barrier to the technology’s adoption.

Securing the cloud

This said, I recently read an interesting quote – cloud architecture is no fine wine when it comes to security. It got me thinking – it’s true, unlike fine wine, in the context of security, cloud architecture that is already deployed doesn’t get better with age. To the contrary, the cloud provides a wide attack surface, and with rapidly advancing technology and cyber criminals continually evolving their attack methods, security measures have to be constantly enhanced for them to remain effective.

At the technology and platform level, there is no doubt that cloud providers (Microsoft, Google, Amazon) are making significant investment in security – to an extent that no single business can compete with if they were to try to do the same on-premises – but cloud adoption still requires you to pay continuous attention to security. Just being in the cloud does not give your firm all the security.

If you have moved your firm’s business applications to the cloud, here are some things to think about:

Are your business applications cloud native?

There’s a world of difference between traditional applications (often referred to as “monoliths”) that have been “retro-fitted” with cloud technology versus those that are cloud native – i.e., built with cloud technology from the ground up. Without going into the technicalities, cloud native applications offer modern UX and CX, are easy to enhance with new features and functionality, can be scaled up quickly, and due to their very nature, can be integrated with other third-party solutions to help create seamless, digital work environments based on the needs of your firm.

The nature of your cloud application has a bearing on your security risk. So, if you are in the cloud on a business application that has been tailored for the environment, then it is possible that you may not have the advantage of security technologies such as Zero Trust (where no one person can make change a system in a way that affects it security) or Zero Touch (where no one – not even IT administrators can access customer data).

Do you have multifactor authentication active for your cloud applications?

Yes I know, your users will likely tell you that multifactor authentication really gets in the way of their work, but given how clever and sophisticated cyber criminals are, this measure must be in place to help prevent data breaches. Likewise, check that encryption at transit and at rest is standard.

Where exactly is your data?

Just because your cloud vendor has a datacentre in region, where they say your data is domiciled, doesn’t mean that your firm’s data always remains in that region. If you have a cloud solution covering multiple jurisdictions, there are multiple datacentres where your data could reside. To comply with client requests and the numerous country-specific data protection laws, you may need to ensure that some functions of cloud solutions only perform tasks in certain designated datacentres. So, if the data leaves a jurisdiction even for a fraction of the time, it could result in non-compliance.

Do users have secure access to the data they need?

Especially in a hybrid world, it’s important that users have access to the data they need to efficiently do their jobs. Cloud technology enables this beautifully – today people can work from anywhere, from any device and at any time. This ease of data access can pose a substantial security risk too, so it’s essential that your firm configures its business-critical systems to ensure that information is only ever available to employees on a need to know basis. For example, in your document management system, users should have the capability to – with a click of a mouse – apply security policy for each and every document, to a granular level. To illustrate, if needed, a lawyer could apply security to a document such that individual A would not be able to even view the information, but individual B could both view and edit due to their close involvement in the activity.

Likewise, in the cloud business systems should have capabilities activated so that your IT administrators are alerted in the event of untoward activity. If suddenly 100s of documents are being downloaded by an employee that is uncharacteristic of their normal behaviour, it may well be a malicious attack – in which case, your IT department could instantaneously shut down the part of the network in question to mitigate or avert a disaster.

These kind of capabilities embed security without creating unnecessary constraints within employees day-to-day workflows.

Do you know how your cybersecurity insurance will play out in the unfortunate event of a breach?

Law firms are ripe targets for cyber criminals due to the highly sensitive nature of information that they work with. Taking out cybersecurity insurance is a no-brainer today. However, make sure that your insurance will indeed provide the protection your firm would need if the worst were to happen. Often there are exclusions and limitations in insurance policies, which firms find out to their horror at the time of an attack. For instance, in many insurance policies, the cover excludes attacks from state sponsored actors.

So, when you take insurance, make sure you have an in-depth understanding of exactly how the policy will play out, should a security breach take place.

Have you considered security, GDPR compliance and certifications?

Certifications help embed best practice for data and cybersecurity in the firm, making the processes business as usual. Think about certifying to Cyber Essentials. In association with the National Cyber Security Centre, this accreditation is a government backed scheme that focuses on five important technical controls that are designed to guard against the most common internet-based cybersecurity threats.

Similarly, UKAS issues UK GDPR certification against ICO approved certification scheme criteria. In fact, the first certification for Legal Services is due to be approved by the ICO imminently. The ISO 270001 certification is a good goal too.

It’s worth noting that most cybersecurity insurance policies demand evidence that strong security measures are in place, or the cover isn’t granted. These above mentioned certifications provide the necessary proof. Such measures can also help reduce your insurance premiums – and over a length of time, the cost saving can be significant.

No organisation today can afford to become complacent with security – and this is even more so in a cloud-based and hybrid working environment. The ‘tools of trade’ that cyber criminals use, alongside their tactics and strategies are continuously advancing. After all, criminal activity is their day job! You must continually stress test, re-stress test, and fine-tune your security measures and processes to ideally ensure that breaches are pre-empted, but if disaster strikes, the impact is negligible. It’s critical that you are always on your “A” game in the cloud, when it comes to security.

Other cloud based related articles:

• Cloud computing - you made it, but there’s more!
• Cloud storage cost
• Cloud migration - Are You Ready To Move iManage Work To The Cloud?
• Multi cloud denotes freedom of choice, how should you devise your firm’s cloud strategy?
• Cloud Benefits - Four critical considerations
• Case Study - Thirsk Winton Migrate From Private Cloud to iManage cloud

FAQ

What is meant by cloud security?

Cloud security refers to the practices and measures taken to protect data, applications, and infrastructure in cloud computing environments. It addresses the potential risks and threats associated with cloud services, including unauthorized access, data breaches, data loss, and service interruptions. Cloud security involves implementing authentication, encryption, firewalls, and access controls to ensure the confidentiality, integrity, and availability of data stored and processed in the cloud. It also includes regular monitoring, vulnerability assessments, and incident response to detect and mitigate any security incidents or breaches.

What are examples of cloud security?

Examples of cloud security measures include:

1. Encryption: Encrypting data during transit and at rest helps ensure that data remains confidential and cannot be accessed by unauthorized individuals.
2. Identity and Access Management (IAM): Implementing IAM controls restricts access to cloud resources based on user roles, authentication, and authorization protocols to prevent unauthorized access.
3. Firewall and Network Security: Deploying firewalls and network security measures help protect cloud infrastructure from cyber threats, such as malware, viruses, and unauthorized network access.
4. Data Loss Prevention (DLP): DLP tools monitor and control data movement within the cloud, preventing sensitive data from being distributed or stored improperly.
5. Security Information and Event Management (SIEM): SIEM systems collect and analyze security event data to detect and respond to potential security incidents in real-time.
6. Regular Auditing and Compliance: Conducting audits and ensuring compliance with industry standards (e.g., GDPR, HIPAA) helps maintain data security and privacy requirements.

These are just a few examples, as cloud security involves a multi-layered approach and may vary depending on the specific cloud provider and the needs of an organization.

How do I secure my data in the cloud?

To secure your data in the cloud, you can consider the following measures:

1. Strong Authentication: Implement multi-factor authentication (MFA) to add an extra layer of security beyond username and password, such as using biometrics or SMS verification codes.
2. Encryption: Encrypt your data both during transit and at rest. Choose a cloud provider that offers encryption features or employ third-party encryption tools.
3. Access Controls: Utilize robust access controls and role-based access management (RBAC) to ensure that only authorized individuals have access to your data.
4. Regular Updates and Patches: Keep your cloud infrastructure, applications, and security measures up to date by applying patches and updates as soon as they are available.
5. Data Backup and Recovery: Regularly backup your data and test the backup and recovery processes to ensure that your data can be restored in case of any issues.
6. Cloud Provider Evaluation: Prioritize cloud providers with strong security protocols, certifications, and a solid track record of data protection.
7. Employee Education: Conduct regular training and awareness programs to educate your employees about cloud security best practices, including safe data handling and recognizing phishing attempts.
8. Monitoring and Logging: Employ robust monitoring and logging tools to track and analyze activities in your cloud environment, enabling you to detect and respond to any security incidents quickly.

Remember that security in the cloud is a shared responsibility between the cloud provider and the customer. Discuss security measures with your provider and develop a comprehensive security strategy specific to your organization's needs.

This blog is the second article in this series on cloud computing. In the next piece, I’ll talk about how to best take advantage of scalability in a cloud environment.