As enterprises move their applications and data to the cloud, they’re faced with the challenge of  keeping the environment secure. While the cloud is not inherently insecure, cloud environments do offer some unique security challenges that need to be addressed properly. This is especially true for public cloud deployments, which rely on cloud vendors to deploy security measures.

Many security professionals remain skeptical about the securability of cloud-based services and infrastructure. So what best practices or guidelines can be used to keep your cloud environment secure? Let’s take a look.

Cloud security challenges and threats

Cloud security issues fall into two broad categories — security issues faced by cloud providers (organisations providing software-, platform-, or infrastructure-as-a-service via the cloud) and security issues faced by their customers (companies or organisations who host applications or store data on the cloud). The paranoia surrounding cloud computing security is due largely to the fact that the approach itself feels insecure — data is stored on servers and systems that you don’t own or control. However, cloud computing security does offer a range of security options to make sure that data is encrypted and safely stored. The security your cloud vendor provides will vary depending on exactly which type of cloud service you use.

If you’re using an infrastructure-as-a-service (IaaS) like AWS EC2 or Azure virtual machines, your cloud vendor is only responsible for the underlying infrastructure. The OS, middleware, and other runtimes fall on the client. For PaaS platforms, a client builds their own application; however, tasks such as data storage and management are abstracted away. With software as a service (SaaS), cloud vendors host, manage and offer infrastructure as well as applications that companies can purchase and use. However, with all these cloud computing categories, the client is ultimately responsible for any data that is involved.

There are some crucial areas to focus on when considering cloud environment security.

Data encryption

Data encryption in the cloud is the process of transforming or encoding data before it’s moved to cloud storage. Typically, cloud service providers offer encryption services — ranging from an encrypted connection to limited encryption of sensitive data — and provide encryption keys to decrypt the data as needed. Data encryption doesn’t necessarily keep a cloud environment secure, but it does mean the impact of data breaches is limited. However, according to some cloud security experts, up to 82% of relational databases and 40% of storage volumes are unencrypted, with a high percentage of each cloud service being publicly accessible due to other poor security practices.

However, encrypting everything also has its problems since encrypted databases experience performance issues, with the additional risk that encryption keys to storage volumes could be targeted by hackers — which would undermine the purpose of encryption. Nonetheless, if you want to keep your cloud environment secure, encrypting sensitive data and following security best practices is a must.

Access management

Although it may be impractical to encrypt every piece of data, there’s no excuse for failing to apply “least privilege necessary” access controls. Poor identity, credential, and access management has been responsible for several significant data breaches and it’s important that users are assigned privileges according to their role or function — and nothing more. Since cloud enables access to a company’s data from anywhere, companies need to manage access to that data. This can be done using various policies and guardrails that ensure that only legitimate users have access to vital information and bad actors are left out.

Prepare for the possibility of DDoS attacks

A distributed denial-of-service attack (DDoS), like any other denial-of-service attack (DoS), sets out to bring down a targeted site so that no one can access it. The services of the targeted host connected to the internet are then stopped temporarily, or even indefinitely. The argets for DoS or DDoS attacks typically include websites hosted on high-profile web servers (such as credit card payment gateways, banks, government bodies) and most commonly the target machine is so overwhelmed with external communication requests that it either responds too slowly, or not at all and is considered effectively unavailable or offline. Whilst there are several approaches to mitigating DDoS attacks, the best way is usually to use the services of a dedicated cybersecurity vendor.

Multi-factor authentication is a must

Strong and frequently rotated passwords aren’t enough to stop the most determined hackers. The speed at which passwords can be cracked using brute force increases year on year and when hackers are using algorithms and botnets to further accelerate the pace, it may not matter how many letters, numbers and unique characters the password includes. Multi-factor authentication is a nuisance, but it’s an essential security mechanism for any user with privileged account access. Ideally, users should use a security key to generate MFA PIN numbers rather than receive SMS messages, as — in these days of BYOD — the same device could be used to log into a privileged account and receive the PIN number.

There’s not one ‘right’ way to secure your cloud environment. Every cloud setup is different, since every enterprise is different in size, and has unique business goals and cloud requirements.