Cloud based security is a combination of several factors, namely – physical safety of data, reliable backup, constant monitoring solutions, and state-of-art security software. Choosing the right AWS consulting partner is crucial to the operation of an enterprise, as it means handing over the organizational data to the care of another organization (the AWS consulting partner) that may or may not live up to the standards of the best-in-class cloud security.
The onus of maintaining the highest levels of cloud based security falls equally on the client (enterprise) and the cloud service provider (AWS consulting partner).
Key responsibilities of the cloud service provider
- Providing a physically safe data center - The building in which the servers are located should be constructed taking into account fire risks, and other disasters that could occur. The temperature control should be maintained at all times of the day regardless of power failures. Also, during blackouts, the server data should remain intact and preferably, a long-time electricity backup solution should be available.
- Competent and reachable staff - The employees of the AWS consulting partner should be well-trained to take care of the regular cloud needs of the enterprise and handle emergency situations like DDoS attacks, and other security breaches. Support should be available round-the-clock, even if the employees themselves work in shifts.
- Regular data backups - The cloud service provider should enable scheduled system backups (that can be restored on requirement), according to the preference of the client. In this case, it is essential that data backups are as much the responsibility of the client as they are of the cloud service provider. The client’s employees should maintain local backups on their computers as well, and make sure that all the day’s work has been duly synced with the cloud whenever a new update is approved to be rolled out into production environment.
- Strong security measures in terms of software and data monitoring - Ensuring that the virtual security is up-to-the-mark is as important as ensuring the physical security of the data on cloud. The cloud service provider should have the latest security software, and it should be integrated with the enterprise resource planning solution that the client is using. All the data related events should be logged continuously, and a data monitoring dashboard should be provided to the client.
- Industry compliances relevant to the client’s business domain - Data storage on cloud should be according to the industry standards required in the client’s business domain. For example, if the client is in the banking domain, the data storage should be according to PCI DSS standards. If the client is in medical domain, the data storage should be HIPPAA complaint, and so on.
- Reducing chances of user errors by the cloud users (employees) - More often than not, breaches are caused by negligent employees using easily guessable passwords or forgetting to lock their BYOD devices. The client should provide the necessary security training to its employees and ensure the staff’s preparedness through random security drills.
- Encryption of data while uploading, downloading, and storing - Data on the cloud is primarily the service provider’s responsibility. However, security during the exchange of data should be handled by the client. Data sent in server requests and obtained in response should be strongly encrypted. Also, the data stored on user devices should be encrypted. This ensures that even if data is accessed by malicious attackers, they cannot decrypt it into intelligible data.
- Use of strong passwords and two-factor authentication - The employees should be encouraged to use strong passwords that cannot be easily guessed. In addition to that, two-factor authentication through an OTP or a unique question-answer combination should be implemented.
- Role based security and prompt deactivation of unused/obsolete accounts - The client should use an IAM (identity access management) solution to provide role-based access to confidential data. When employees leave the organization, their accounts must be immediately blocked, to avoid data breaches.
- Maintaining security of in-house devices (against malware and ransomware)- The computers used by employees must be equipped with anti-virus/anti-malware solutions. The employees should also be trained to identify phishing/malware attacks, so that the data on the system is not corrupted before it reaches the cloud.