Memo: How Startups Protect Data in the Cloud

Translator's note: Over the past few years, the topic of information security has finally ceased to be the lot of geeks and specialists, and now everyone is interested. After the exposure of Snowden, users of various online services began to think about the security of their data. Now companies that do not provide this security can face huge image and financial losses in the event of a hacker attack. Often, user credentials are stolen through third-party services (as was the case with Dropbox and Yandex ), but even in this situation, the company shadows and its customers remain unhappy.

However, not all creators of new projects pay due attention to data protection (as a result, scandals arise, likesituations with an anonymous Whisper application, whose user information was not as anonymous as expected).

Stephen Coty, chief security evangelist at Alert Logic, an information security company, wrote about how startups can approach information security when using cloud services.

Many years ago, when I created a business in the field of security and development, I had big plans and small start-up capital. When I started working on the necessary infrastructure and development platforms, I quickly realized the real cost of creating a business. It was at the dawn of the 2000s, when cloud infrastructure was not available: if you worked with something, you paid at full cost. In addition to the fact that I had to hire staff, work directly on the project, understand finances, sell and be a marketer, I was also forced to create the infrastructure that my team needed to work.

If you are creating a startup in the cloud, then you most likely have your own list of extremely important business tasks. Cloud services are diverse, you can start using them in the "self-service" format - all this simplifies the implementation of many tasks. But even in this case, security often goes by the wayside. However, it is important to understand that the cloud is a continuation of your business networks, regardless of whether you know about the existence of any of them or not. A security hole not only puts your internal networks at risk, but it can also threaten the data of your customers.

Public Cloud Security Threats

Although using a public cloud has significant financial benefits, it, like any infrastructure, has its own set of threats. Over the years, we have seen an increase in the frequency of public cloud attacks and the variety of malware used for this. With the increase in vulnerability tracking incidents, web applications, and brute force attacks, it becomes critical to develop an understanding of the types of threats that are specific to the cloud - this will help you create the right comprehensive security strategy to protect your ecosystem from attacks.

Security Assignment Model

In the public cloud, the key to security is a clear understanding of the existence of a model for sharing security responsibilities between you (the client) and the service provider. Without this understanding, you may be confused about the fact that your provider is protecting you, while the responsibility for certain security functions will actually rest with you.

For example, your service provider is responsible for 100% of the fundamental services, such as computing power, data storage, databases, network services. At the network level, your service provider is responsible for network segmentation, perimeter protection services, protection against DDOS attacks and spoofing. But you, the end user, are responsible for detecting network threats, notifying the service provider about them and any other incidents [related to security]. At the host level, you are responsible for managing access, updates, strengthening and monitoring security systems, and analyzing log files. The components of your web application are 100% your responsibility. To understand the differentiation of responsibilities between you and your provider, look at the chart below:



Understanding your role and the role of your cloud provider will not only help you make the most appropriate decision regarding the cloud infrastructure, thanks to it, your cybersecurity strategy will begin to effectively and cost-effectively protect your data from threats in the cloud immediately after its implementation.

Cloud Security Best Practices

Keep your code safe

code security is 100% your responsibility. First, make sure that security is part of your software development lifecycle (SDLC). To do this, formulate a list of tasks like this:

• Make sure your code is constantly updated and that you are using the latest plugins.
• Use software control over the speed of operations to avoid becoming a victim of a botnet.
• Use encryption wherever possible.
• Test all libraries and solutions that use third-party development.
• Stay on top of all the potential vulnerabilities of the products that you use.
• Finally, constantly check the code after adding updates.

Create Access Control Policies

First, determine what is included in your assets. Once you have made your list, identify the roles and responsibilities necessary to access the assets. If possible, centralize authentication - to implement authentication, start with the privilege assignment model.

Use the update management methodology

Again, formulate a list of important procedures:

• Make a list of your resources.
• If possible, develop a plan to standardize them.
• Do research on vulnerabilities that could affect you. Classify risks based on the types of vulnerabilities and their likelihood of occurrence.
• If possible, test the updates before their release.
• Set a schedule for regular updates and remember to include third-party products that require manual updates to be installed.

Log Management

Logs are currently not only useful for controlling costs; they become a serious security tool. You can use the log file data to track malicious activity and to conduct investigations. The essence of the process of turning logs into an effective security tool is constant monitoring, which is necessary to search for abnormal behavior.

Build your own security suite of tools — you should treat the cloud as a business network. You need to implement a comprehensive security strategy that covers all areas of your responsibility. Use IP tables, web application firewalls, antivirus, intrusion detection system, encryption and log management. Explore new security options and make sure the solutions you use are right for your business.

Stay up to date - you need to stay updated on all vulnerabilities that may arise in your ecosystem. The sites listed below contain some of the best material on this topic. These resources can help you keep abreast of emerging and spreading vulnerabilities, exploits and attacks:

• securityfocus.com
• www.exploit-db.com
• seclists.org/fulldisclosure
• www.securitybloggersnetwork.com
• www.sans.org
• www.nist.gov

*** In Russian, vulnerabilities are discussed on the resources www.securitylab.ru , xakep.ru (plus the corresponding section on Habré).

Know your Service Provider

Finally, find out exactly how the responsibility for security is distributed between you and your specific provider, as well as what he can offer with regard to ensuring your security. It is also necessary to constantly test the system to ensure that a high level of security is maintained.

Related posts and links:

• 7 deadly sins of information security for startups
• Journalists caught anonymous Whisper application in transmitting data to the FBI, NSA and the US Department of Defense
• Know-it-alls from business - how big data changes the face of companies
• 1cloud - secure cloud hosting (site)