Raising awareness quickly: Avoiding problems in the cloud

In the fourth, and final, awareness tip for National Cyber Security Awareness Month, Rapid7 discusses the cloud, and how to avoid common problems while using it.

[SaaS vendors customers finding new ways to secure the cloud]

Rapid7 has developed a series of easily emailed awareness tips for National Cyber Security Awareness Month. As part of an ongoing effort to raise awareness and get the tips into as many hands as possible, CSO has made them available, so they can be easily copied and shared within your organization.

Note: Previous topics from Rapid7 include phishing, BYOD, and passwords.

This week, the topic is cloud and how to avoid some common problems when your staff takes advantage of it. The main point is to embrace (to some degree), rather than reject, the notion of self-service IT, and help users understand and self-manage some of the risk.

"Some organizations choose to enact a full no-cloud policy for their users and have the resources to enforce it, but for the vast majority of security teams, the only hope to prevent severe data leakage into the cloud is to properly educate your users about the inherent risks," Matt Hathaway, senior product manager at Rapid7, told CSO.

What follows is a letter on cloud usage and some best practices. As mentioned, it can be copied and freely shared within your organization.

What is the Cloud?

"Cloud" basically means a technological solution you're subscribing to online. That covers an incredibly diverse range of things. For example, online data storage like Dropbox; marketing automation and tracking like Marketo; and customer relationship management like Salesforce.com. Cloud applications are designed to be very quick to deploy and easy to manage, and as a result, the chances are that your department is already using some kind of cloud service.

The challenge here is that you dont know how good the security of the solution youre buying may be. That can be a big problem if any corporate information is being handled by the service. For example, if you use an online data storage service like Dropbox, SugarSynch or GoogleDrive, and that service gets compromised by an attacker, that attacker could get access to any information you stored on the site.

Likewise, if you use an online human resources tool such as TribeHR, BambooHR, or iEmployee, and it gets compromised, your employees' personally identifiable information (PII) could be at risk.

[Still going rogue in the cloud]

Not only is this a problem for those directly affected, but the company as a whole is impacted. It is a legal requirement that PII for both employees and customers be protected, so any incident exposing it could result in fines or other penalties. And there are also reputational implications and the loss of trust. Other types of corporate data, such as any intellectual property, are also valuable and need to be protected to defend the way we do business.

How can you protect yourself?

No one expects you to be an expert on security, but we do request that you be vigilant, familiarize yourself with company policies, and if in doubt, reach out to the IT or security team. In the case of cloud applications, bear in mind that although they may seem very polished and professional, you have no way of knowing what level of risk they are actually exposing you and our company to. Here are some basic ways of minimizing that risk:

[Cloud market destined to change following NSA leaks]

Work with IT/Security: When you start to think about using a new service, bring the IT and security team into the process. We can work with you to identify potential options based on your needs and budget, and then we can vet the candidates for you. We know the questions to ask and what to look for to ensure you get all the benefits without a lot of extra risk.

Don't store information online without permission: When you use a cloud solution you may find that you start putting data in there as a matter of course. This is how you get value out of the solution, but have you considered what kind of data you're storing there? Or how the vendor is storing and protecting that data? We have a responsibility to keep that data safe, but a third-party vendor may not feel they share that responsibility. Check with IT and we will tell you whether it's safe to store information online.

Don't use personal cloud storage for work: It's very tempting; you use an online storage service for your media and documents at home. You already have an account set up, and you need to be able to access company information so you can work wherever you are. Using your personal account seems like an obvious solution, but it isn't. Ask IT for a solution and we will suggest some company-approved approaches and get you up and running.

Don't share permissions for company files: It's a standard practice to restrict who can access certain types of information in the company based on role. This helps keep the information safe. In the same way, you should check with a manager or IT before sharing access to files that are stored in the cloud.

Don't share passwords and other access credentials: It's very common for teams to share credentials for cloud services. This is an inherently insecure behavior and can encourage other equally insecure behavior such as emailing credentials, writing them down, or using very weak, easy to guess passwords. All of these activities increase the risk associated with using cloud services and should be avoided. Please familiarize yourself with our email on basic password hygiene if you have not already done so.

[Mobile device management shifts to the cloud]

If you are considering a cloud purchase, or are already using some cloud services we may not know about, please do contact the IT team. And stay vigilant team!

Join the CSO newsletter!

Error: Please check your email address.

Tags Rapid7securitycloud computinginternet

More about CSODropboxHathawayNSARapid7Salesforce.com

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts