7 rules of cloud security

The main cause of most cases of data leaks from the cloud are not software bugs or hackers' actions - most often the fault lies with administrators who forget to configure security or simply do it wrong (which makes the task easier for burglars). Following several rules will minimize the risk of such incidents, regardless of whether you use Amazon Web Services, Microsoft Azure or Google Cloud Platform.

You do not have to look far for the examples of the above-mentioned situations - the famous data leak from the Capital One Finance cloud was, as later analyzes showed, caused by an error in the configuration of the Web Application Firewall, which the company used in its infrastructure hosted in the Amazon Web Services cloud . It turned out that WAF was configured to list and check the content of all files stored in the so-called AWS data buckets - which in turn allowed an unauthorized user to send a request to transfer this data to him.

The effects of this error and the burglary based on it were deplorable - criminals managed to take over the data of nearly 100 million US citizens - including approx. 140,000. social security numbers and data of 80 thousand. bank accounts. The consequences will also be disastrous for Capital One, because according to conservative estimates, the company may face a financial penalty of up to USD 150 million for inadequately securing customer data.

Cloud security. One problem, many causes
There are at least several reasons for this situation. One of the fundamental ones is the misconception about who is actually responsible for securing the cloud - too many users assume that it is only the responsibility of the service provider. Of course, he also has a lot to do in this regard, but to think that he should do everything is wrong.

Microsoft, Amazon and Google must of course guarantee the security of their physical IaaS infrastructure in data centers, the hardware on which virtual machines run, and keep an eye on software updates. But taking care of the security of your own virtual machines and the applications running in them is on the side of the client or user. It does not matter how good the security is applied by the service provider - if the customer does not protect his own infrastructure (even that operating in the provider's system), he will not be able to count on a sufficiently high level of security. Importantly, the operator of a cloud service usually provides the client with tools that allow him to secure his resources - but their implementation and management remains the user's task.

Another reason for security problems is a kind of dissonance between the user's perception of their resources and security issues and reality. Business users still believe that there are criminals out there somewhere in the network who may one day make a spontaneous attempt to breach their company's security systems and steal their data. In their opinion, the chances of such an incident are negligible, because "why would someone attack my company?".

In fact, the situation is very different - a recent McAfee report shows that most criminals do not hunt specific companies at all.

Find more information here: Cloud Security