Why the cloud does not automatically mean secure

With the impact of Covid meaning more and more people are working remotely, many companies are accelerating their cloud migration. Unfortunately we are seeing the same security mistakes being made that effect on-site servers. The cloud is just as difficult, if not more so, to secure than traditional on-premises IT infrastructure. A scary real world example is just recently we talked to a law firm who was running fully on Amazon’s AWS cloud, but are able to login completely without a single multi-factor prompt. Their IT provider assured them that moving them to the Amazon cloud would make them super secure, but a hacker could still get in with just a compromised password! They finally were able to get multifactor protection implemented…in 2020. Another law firm deployed a new practice management in the cloud. It did not have multifactor authentication, good password policies, or other fundamental security features. Both firms moved to the cloud, but ended up less secure than they were before.

Security in the cloud is still your responsibility

Amazon web services even publishes a guide about their “shared responsibility” model here. That puts a lot of burden back on your IT team to make sure the cloud is locked down properly - everything shown in blue. Amazon only handles the bottom half.

 
Shared_Responsibility_Model_V2.jpg
 

How does this impact you?

If your IT team ever tells you “it will be secure because it is in the cloud!” find a new IT team ASAP! Just kidding (sort of), but you should treat the cloud just like any other system. Make sure you (or your IT department) are regularly reviewing active user accounts, methods of access (such as openings in firewalls), and that security updates are being applied as necessary. If you notice security taking a step back, pause things and discuss why. Most cloud platforms present a bigger target, which means it is not a good time to be relaxing security.

One other concern is that many companies are running in multiple clouds - Microsoft, Amazon, Salesforce, accounting software, practice management and more. Each of these requires proper security configuration, there is no magic bullet to set them all up at once.

Clouds are becoming more secure by default

Many cloud software is starting to enforce higher security by default, even if they still allow you to disable it. For example, any new customers to Microsoft 365 will have multi-factor turned on by default, which significantly increases the security of your account. This still requires a savvy IT team to properly deploy the other safeguards needed for your business, but its a significant improvement for the IT industry overall. Unfortunately the vendors are often dragging IT teams along. One way to identify if you are in good hands from a security standpoint is if your IT team is ahead of the vendors when it comes to implementing security features.

Worried if your clouds are secure?

Trust your CIO and their team at Clear Guidance Partners. Our proven processes such as vendor security assessments and extensive operating procedures ensures we keep your data and business secure. Schedule a call today about how we can help.

Dustin Bolander