Chief Information Officers (CIOs) and executive leadership know how important cloud computing technology is, but still hesitate to transition. When a company is faced with any changes, reluctancy is natural. Having the whole IT leadership team on board can oftentimes seem like a difficult task to accomplish. Thankfully, cloud is almost always safer than CIOs believe.
The cloud revolution is here, and we are watching more and more companies move their critical IT infrastructure and data to the cloud every day. Prior to a cloud migration, executives are continually faced with the task of balancing the benefits of productivity gains against significant compliance and security concerns.
Security in a corporate-owned data center is not the same as security in the cloud. When leveraging cloud computing services, businesses need to evaluate several key factors. As we have mentioned in past blog posts, Gartner has reported that the cloud will drive 83 percent of enterprise workloads by 2020.
Much of this data includes high-value assets, trade secrets, intellectual property, and other confidential information that will only continue to grow over time. We have already seen cases of company data being exposed in the cloud. This has included health records, customer credit card information, trade secrets, and more. With the proper security best practices in place, much of the risk is taken away. Especially with a private cloud solution.
Here is how to securely leverage the benefits of cloud while using its strengths to overcome issues that have traditionally been labeled as security weaknesses.
Company Cloud Security Challenge
With the sheer amount of data moving to the cloud, much of it is bound to be confidential or highly secure. In fact, according to the 2019 Cloud Adoption and Risk Report from McFee, 21 percent of files in the cloud contain sensitive data. The most common types of sensitive content found in the cloud are financial records, business plans, source code, and trading algorithms, the study found. As a result, the hosting location is a lucrative target for cyber criminals.
Many cloud service providers have launched new cloud security technologies to battle attacks, and have a set of impressive compliance badges that add a extra layer of security in the cloud. However, as the end user of cloud platforms, there are best practices you and your company must follow to combat breaches. Cloud service providers can do much of the heavy lifting, but there is a level of accountability a company must take for the security of their data.
When migrating to the cloud, an IT team does not want to lose control over their data. That is why security preparedness needs to be implemented prior to the move. Enterprises planning to move to cloud-based IT systems need to first think how they have secured data on servers, and then implement procedures on how to protect data and control and manage its access in the cloud.
6 Best Practices for Data Security in the Cloud
Many security professionals are skeptical about the security of cloud computing. There are several key factors to evaluate, including:
- Privacy controls
- Data encryption
- Management and maintenance
- Data security
In this blog post we will dive deep into some of the best practices and checklist items that can be used to leverage the benefit of cloud services.
1. Strict Cloud Service Provider Vetting Process
Security requirements for cloud vendors are exhaustive, but customers should still vet them extensively before moving forward. More and more IT departments are having these conversations to pinpoint the best cloud partner and avoid any breaches as a result of third-party vulnerability.
Businesses can start with a compliance audit of each cloud service provider being vetted. These providers must provide proof that they will live up to the promises they make. Get an understanding for their networks and applications to determine how the functionality, redundancy, and security will operate.
A recent study by IT industry association CompTIA found that even though many organizations are concerned about the security of their data in the cloud, only a small portion of companies perform a comprehensive review of their cloud service providers before sealing the deal.
“Despite some of the concerns, only 29 percent of the companies in the study said they engage in a heavy or comprehensive review of the cloud service providers’ security practices,” says Tim Herbert, research vice president with CompTIA.
2. Stringent Compliance Certifications
Security requirements vary across industries and even within different companies. Yet, there are enough requirements in common to warrant the development in cloud security compliance standards. Some compliance certifications are widely acceptable, such as SOC standards. Others are more industry specific, like HIPAA and HITRUST with the health care industry. A cloud service provider that has both broad compliance certifications and also industry specific badges that are specialized just for you is best.
There are several major cloud computing security certifications that your cloud provider should have. They include:
The SOC 1 certification attests to the quality control on financial reporting, while the SOC 2 and SOC 3 reports on address security, availability processing integrity, and other factors that are relevant to information systems.
According to the American Institute of Certified Public Accountants (AICPA), SOC Reports are designed to help service organizations (data center colocation providers) build trust and confidence in the service performed and controls related to the services through a report by an independent auditor. Each type of SOC report is designed to help service organizations meet specific user needs.
To learn more on the different SOC reports and take a deeper dive into what they are protecting, visit our previous blog on the five factors for choosing a data center.
Finding a data center colocation provider that meets your strict compliance guidelines is imperative when it comes to keeping your data safe. When selecting a provider, ask them about the compliance badges they possess. Many industries require additional compliance.
For instance, the healthcare industry is regulated by HIPAA compliance and the financial and banking industry is regulated by PCI DSS compliance standards. Ensure that your data center provider also demonstrates the same rigorous compliance standards that fall within their control.
This is a family of cross-industry security standards that addresses requirements, implementation, measurement, and codes of practice.
ISO 27001 was developed to provide guidance on implementing, operating, monitoring, reviewing, maintaining, and improving an information security management system (ISMS). ISO 27001 is technology-neutral and uses a risk-based approach.
The ISO/IEC 27001:2013 standard, and its accompanying standard, ISO/IEC 27002:2013 contain 14 control objectives in addition to the management framework required to achieve certification.
This certification is a global standard of requirements for IT service management systems. ISO 20000-1 was developed to mirror IT Infrastructure Library (ITIL) best practices and equally support other IT service management approaches, such as Microsoft Operations Framework and parts of ISACA’s COBIT framework.
ISO 20000-1 is a significant competitive differentiator in the IT services industry. The process to become ISO 20000-1 certified includes a multi-stage audit process in the first year, followed by annual surveillance reviews completed by an accredited certification body.
ISO 20000-1 certification ensures your provider is committed to ongoing excellence, providing important proof that they are doing exactly what they say they are by showing:
- IT processes documented, actively managed and continually improved
- Best practices converted to mandatory steps
- Controls implemented to measure and maintain consistency
This is a certification that is important to healthcare organizations. The Health Insurance Portability and Accountability Act (HIPAA) establishes requirements for the use, disclosure, and safeguarding of protected health information (PHI). HIPAA should be top-of-mind for any organization that handles or stores sensitive healthcare data, including:
- Health Insurance Providers
- HR departments
This is a certification that is important to the financial industry and organizations that access payment information. The PCI DSS is administrated and managed by the PCI SSC.
It is important to understand that the payment brands are responsible for enforcing compliance, not the PCI council. According to the Data Security Standard, PCI DSS comprises a minimum set of requirements for protecting account data and may be enhanced by additional controls and practices to further mitigate risks, as well as local, regional, and sector laws and regulations.
3. Rigorous encryption of data in transition
Any interaction with servers should happen on SSL transmission (TLS 1.2) to ensure security. TLS, or Transport Layer Security, is the protocol that allows devices to communicate securely over the internet without the transmission becoming vulnerable to anyone on the outside. TLS impacts everyone. For example, TLS makes it possible for you to online shop or make secure bank transfers through your bank online.
The upfront time and investment on updates like TSP 1.2 are much less than what your organization would spend responding to a data breach. Even if your cloud provider encrypts data, don’t depend on the provider. Deploy sophisticated and all-encompassing encryption solutions to encrypt data before uploading it to the cloud.
4. Define a Data Deletion Policy
After a customer or employee’s data retention period has ended, that person’s data should be programmatically deleted. This time period may be specified by the customer or is once the staff member is no longer employed at the company.
5. Implement Privileged Access Management
Implementing role-based access control will allow for user-specific access and editing permissions when handling data. Enforcing segregation of duties within an organization to maintain compliance with internal and external data will decrease the risk of internal threats and data breaches.
Access management generally requires three capabilities: the ability to identify and authenticate users, the ability to assign users access rights, and the ability to create and enforce access control policies for resources.
6. Leverage a Virtual Private Cloud
Instead of leveraging a multi-tenant instance, your cloud storage provider could provide a cloud environment that is used only by you and in which you have complete control and access to the data.
Virtual Private Cloud is ideal for you if:
- You need compute/storage resources QUICKLY or for a short amount of time
- You don’t have staff to maintain your own Dedicated Private Cloud (DPC)
- You require resources close to traditional IT but don’t have enough need to justify a large investment
- You need a cloud option that can be used for business continuity and disaster recovery
LightEdge’s Virtual Private Cloud Powered by VMware is highly elastic and built for the most sensitive data workloads. Virtual Private Cloud provides customers with flexibility and portability, without commercial licensing fees. Our Virtual Private Cloud is redundant by default, and can be provisioned by you or one of LightEdge’s experienced engineer
Let LightEdge be your Guide to Compliance and Security in the Cloud
Compliance not only protects businesses from excessive regulatory fines, it also protects a company’s reputation and minimizes the risk of harm to your patients. Cloud computing offers technical dexterity and gives healthcare organizations a competitive edge in a rapidly advancing world. However, not all cloud computing service providers offer the same level of support, data security, and compliance expertise. Use our tips to understand how compliance certifications governs cloud service providers and business associates to find a proven compliance-friendly provider that meets your usability requirements and compliance needs.
LightEdge has secure and compliant data center locations at our Des Moines, Kansas City, Omaha, and newly acquired Austin and Raleigh data center facilities. With LightEdge, you can achieve auditable compliance. With a proven background working with healthcare organizations, our data center and hosting solutions provide you with confidence you need to meet requirements.
LightEdge offers a free risk assessment from our Chief Security Officer and Chief Compliance Officer as a free resource to all of our clients. Compliance and security are top priorities to guarantee that your data is protected. Get a fresh perspective on how well you meet best practices in security and gain visibility into vulnerabilities that need remediation. LightEdge is compliant with:
- ISO 27001
- ISO 20000-1
- SSAE 18 SOC 1 Type II, SOC 2 Type II and SOC 3
- PCI DSS
If you are interested in getting a risk-free assessment from our healthcare compliance experts, a tour of any of our compliant data centers, or to learn more about LightEdge’s compliance offerings, contact us here. We have cloud hosting security and compliance experts standing by to answer any of your questions.
To learn more about security and compliance in the cloud, download our free guide to assessing your move to the cloud. In this Guide, we’ll help you assess your move to the cloud, provide some key definitions, and offer suggestions that will help you know where to start, and what it makes sense to focus on right out of the gate.
- Cloud Migration Strategy: 3 Tactics and Other Best Practices to Get you Started
- Why Virtual Private Cloud will make you Reconsider your Cloud Infrastructure
- Moving to the Cloud from Traditional IT: Why and How
- What Every Business Needs to Know about Dedicated Private Cloud
- HIPAA in the Cloud Infographic
- HIPAA Guidelines: Maintaining Security and Compliance in the Cloud