Raising Awareness Quickly: Avoiding Problems in the Cloud
In the fourth, and final, awareness tip for National Cyber Security Awareness Month, Rapid7 discusses the cloud, and how to avoid common problems while using it.
Fri, October 25, 2013
[SaaS vendors customers finding new ways to secure the cloud]
Rapid7 has developed a series of easily emailed awareness tips for National Cyber Security Awareness Month. As part of an ongoing effort to raise awareness and get the tips into as many hands as possible, CSO has made them available, so they can be easily copied and shared within your organization.
This week, the topic is cloud and how to avoid some common problems when your staff takes advantage of it. The main point is to embrace (to some degree), rather than reject, the notion of self-service IT, and help users understand and self-manage some of the risk.
"Some organizations choose to enact a full no-cloud policy for their users and have the resources to enforce it, but for the vast majority of security teams, the only hope to prevent severe data leakage into the cloud is to properly educate your users about the inherent risks," Matt Hathaway, senior product manager at Rapid7, told CSO.
What follows is a letter on cloud usage and some best practices. As mentioned, it can be copied and freely shared within your organization.
What is the Cloud?
"Cloud" basically means a technological solution you're subscribing to online. That covers an incredibly diverse range of things. For example, online data storage like Dropbox; marketing automation and tracking like Marketo; and customer relationship management like Salesforce.com. Cloud applications are designed to be very quick to deploy and easy to manage, and as a result, the chances are that your department is already using some kind of cloud service.
The challenge here is that you dont know how good the security of the solution youre buying may be. That can be a big problem if any corporate information is being handled by the service. For example, if you use an online data storage service like Dropbox, SugarSynch or GoogleDrive, and that service gets compromised by an attacker, that attacker could get access to any information you stored on the site.
Likewise, if you use an online human resources tool such as TribeHR, BambooHR, or iEmployee, and it gets compromised, your employees' personally identifiable information (PII) could be at risk.
Not only is this a problem for those directly affected, but the company as a whole is impacted. It is a legal requirement that PII for both employees and customers be protected, so any incident exposing it could result in fines or other penalties. And there are also reputational implications and the loss of trust. Other types of corporate data, such as any intellectual property, are also valuable and need to be protected to defend the way we do business.