An estimated 79 percent of companies are already either operating in a cloud environment or preparing to do so, according to CloudPassage’s Cloud Security 2016 Spotlight Report. Companies agree the cloud delivers unparalleled benefits, including freed-up space, cost reduction and flexible scalability.
However, security remains a barrier to full-scale cloud adoption. Here’s a look at how informed professionals are at protecting their companies on the cloud and what steps you can take to safeguard your information.
Used by 45 percent of organizations, multi-factor authentication is the most popular cloud security control. Meantime, 35 percent of organizations include among their most effective controls single sign-on user authentication, where multi-factor authentication is combined with the use of a single set of credentials that enables users to access multiple applications. This combination has several advantages.
Because users only have to remember one password, they can use a single, sophisticated password, which removes the temptation to write it down and the password getting in the wrong hands. SSO also makes it easier to track security breaches by creating a single audit trail documenting the source and nature of the breach. By the same token, IT departments can more easily shut down compromised accounts by deleting a single set of credentials.
The main vulnerability of SSO, however, is that if the authentication process gets compromised, the intruder can access all applications. This makes protecting the integrity of the authentication process crucial. Leading corporate SSO solutions combine SSO with multi-factor authentication tools such as one-time password tokens, biometric identification, smartcards or radio badges. Some smaller businesses use password managers, which store encrypted passwords in a file that can be accessed through one set of credentials.
Encryption and Tokenization
The next most popular cloud security controls are encryption and tokenization. Encryption is also considered the most effective security control. Data encryption is cited by 65 percent of organizationa as among their most effective controls, followed by network encryption at 57 percent.
Encryption uses a cipher to encode information so that it cannot be read by a party without the decoding key. For instance, online data backup service Mozy provides military-grade encryption by using a 256-bit AES key to encode files before sending them through a secure SSL connection. Without the encryption key, it’s practically impossible to decipher such a complex code. A strongly-encrypted transmission is only vulnerable if its cipher is stolen.
Encryption and tokenization each have strengths and weaknesses that make them appropriate for different situations. Encryption can be scaled to data of any size, can be used for both structured and unstructured information and is usually used with data leaving or entering an organization.
Meantime, tokenization provides somewhat stronger security, but does not work well with large databases or unstructured information. With that in mind, tokenization is best for small structured fields, such as credit card or Social Security numbers. It’s usually used within an organization due to the need for access to a mapping database.
Intrusion Detection and Prevention
Intrusion detection and prevention is the third most popular cloud security control used by organizations. After data and network encryption, it also cited as the third most effective security measure. Intrusion detection systems monitor networks for activities that either display patterns of known threats, like malware, or deviate from patterns of normal traffic. When a threat is detected, it can then be stored for monitoring or reported to an administrator. Intrusion prevention systems block threats as well as detect them.