• United States




7 best practices for securing your cloud service

Mar 24, 20175 mins
Cloud SecuritySecurity

How to securely leverage the benefits of the cloud by using its strengths to overcome issues that have traditionally been labeled as weaknesses

cloud security
Credit: Thinkstock

As enterprises move their applications and data to the cloud, executives increasingly face the task of balancing the benefits of productivity gains against significant concerns about compliance and security.

Security in the cloud is not the same as security in the corporate data center. Different rules and thinking apply when securing an infrastructure over which one has no real physical control.

+ Also on Network World: The tricky, personal politics of cloud security +

When leveraging cloud services, enterprises need to evaluate several key factors, including:

  • Data encryption capabilities for both data in transit as well as data at rest
  • Data security, especially in a multi-tenant cloud environment in which access to your data and how it is isolated from vulnerability from other systems is unclear
  • Privacy controls on who can access your data, how long it may be used, stored, etc.
  • Maintenance and management controls and other measures the service provider has taken to ensure that the system is always protected and kept up to date with the latest software, server and operating system security patches, etc.

Many security professionals are highly skeptical about the securability of cloud-based services and infrastructure. In this post, we will discuss some best practices and guidelines that can be used to securely leverage the benefits of the cloud by using its strengths to overcome issues that have traditionally been labeled as weaknesses.

1. Encryption of data in transition must be end to end

All interaction with servers should happen over SSL transmission (TLS 1.2) to ensure the highest level of security. The SSL should terminate only within the cloud service provider network.

2. Encryption is important for data at rest, too

Encryption of sensitive data should be enabled at rest, not only when data is transmitted over a network. This is the only way you can confidently comply with privacy policies, regulatory requirements and contractual obligations for handling sensitive data.

Data stored in disks in cloud storage should be encrypted using AES-256, and the encryption keys should themselves should be encrypted with a regularly rotated set of master keys.

Ideally, your cloud service provider should also provide field-level encryption. Customers should be able to specify the fields they want to encrypt (e.g., credit card number, SSN, CPF, etc.).

3. Vulnerability testing should be rigorous and ongoing

The cloud service provider should employ industry-leading vulnerability and incident response tools. For example, solutions from these incidence response tools enable fully automated security assessments that can test for system weaknesses and dramatically shorten the time between critical security audits from yearly or quarterly, to monthly, weekly, or even daily.

You can decide how often a vulnerability assessment is required, varying from device to device and from network to network. Scans can be scheduled or performed on demand.

4. Have a defined and enforced data deletion policy

After a customer’s data retention period (as specified in a customer contract) has ended, that customer’s data should be programmatically deleted.

5. Add protective layers with user-level data security

The cloud service should provide role-based access control (RBAC) features to allow customers to set user-specific access and editing permissions for their data. This system should allow for fine-grained, access control-based, enforced segregation of duties within an organization to maintain compliance with internal and external data security standards.

6. Get a virtual private cloud and network

Instead of leveraging a multi-tenant instance, your cloud storage or software as a service (SaaS) provider could spin a cloud environment that is used only by you and in which you have complete control and access to the data. Amazon Web Services (AWS) refers to this as a virtual private cloud (VPC). Customers can connect securely to your corporate datacenter—all traffic to and from instances in their VPC can be routed to their corporate data center over an industry standard, encrypted, Internet Protocol security (IPsec) hardware VPN connection.

7. Insist on rigorous compliance certifications

The two most important certifications are:

  • PCI DSS: To achieve this certification, a SaaS provider has to undergo detailed audits to ensure that sensitive data (e.g., credit card data) is stored, processed and transmitted in a fully secure and protected manner. The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
  • SOC 2 Type II: Helpful in internal risk management processes, regulatory compliance oversight, as well as vendor management programs, SOC 2 certification confirms that a cloud service is specifically designed and rigorously managed to maintain the highest level of data security.

Both of these certifications can offer useful comparative information for the cloud service providers you may be considering.

The above are just some of the key  security provisions that any cloud service provider should build into its cloud service. Defense in depth is traditionally a matter of strict design principles and security policies distributed across a number of departments and areas of expertise.


Rahul Pangam is co-founder and CEO of fraud-detection startup Simility, which has $7.2 million in seed funding led by Accel Partners and Trinity Ventures and dual headquarters in Palo Alto, Calif., and Hyderabad, India.

Founded in 2014, Simility is already analyzing millions of transactions per week for customers on four continents as part of a limited beta release of its online fraud-detection platform.

Prior to Simility, Rahul was a director at Google, where he led a global team of 200 that reduced fraud in ads by 90 percent. He is a fraud-detection industry veteran, having spent more than six years at Google building teams responsible for fighting fraud and abuse in Google’s ads and its local and social products.

Prior to Google, Rahul was a lead engineer at General Electric, working on GE’s smart grid software products.

Rahul holds an MBA from the University of Michigan and M.S. in electrical engineering from Clemson University.

The opinions expressed in this blog are those of Rahul Pangam and do not necessarily represent those of IDG Communications Inc., or its parent, subsidiary or affiliated companies.