In 2018 more and more small businesses moved to the Cloud. As we kick off 2019, now is a great time to take a look at what’s new in the world of Cloud security.
GDPR compliance
The General Data Protection Regulation (GDPR) is a European Union (EU) data protection regulation that went into effect in May of 2018. This law concerns the privacy and personal data of all individuals within the EU and the European Economic Area (EEA). While it doesn’t directly impact US citizens, it does concern US businesses that have an online presence, and which may collect the personal data of people who reside with the EU or EEA. The primary impact with regards to cloud security involves compliance with GDPR in the event of a data collection and data breaches. In such cases, you are required to disclose what data is being collected, how long it is being retained, and whether it is being shared with any third parties. Data breaches must be reported within 72 hours and may be subject to significant fines.
Related reading: How GDPR affects US-based small businesses
Zero trust security
Over the years we have seen an increasing number of severe data breaches, as the number of malicious attacks rises exponentially. Small businesses are especially vulnerable to these attacks. As a result, we are seeing a new model of cybersecurity known as zero trust security. Traditional security is based on the castle-and-moat concept. It is difficult to gain entry, but everyone inside is trusted by default. This means that once an attacker gains access, they have free access and can do significant damage. Zero trust security functions by not trusting anyone, whether they are inside or outside. Verification is required by anyone attempting to gain access to resources. A zero trust approach can make the Cloud more secure, by using functions such as:
- Least-privilege access – giving users only as much access as they need
- Multi-factor authentication – requiring an authentifier in addition to the password, under certain circumstances
- Limited device access – limit device access and monitor access to ensure that only authorized devices have access
- Monitor the Cloud – monitor, analyze your traffic, both good and bad
Related reading: 2019 security trends
Beyond security to resilience
When we are talking about Cloud security, we are talking about protecting data. Everyone wants to avoid a data breach. For a long time, Cloud security has been about prevention and reaction. Now the conversation is beginning to shift towards a more proactive approach. This trend, called cyber-resilience, is focused on building resilience through the following ongoing process:
- Assessment – Evaluate the organization’s infrastructure. Run a risk assessment. Where are the security gaps? What endpoints are most vulnerable?
- Protection – Following the risk assessment, take necessary measures to secure your systems. The goal is to minimize the risk of attack by protecting all interactive systems, such as the Cloud.
- Monitoring – The best way to respond to an attack or a breach is to quickly identify the source. Monitor all systems, or hire someone to do it for you.
- Problem-solving – Determine precisely how and when various team members will respond in the event of an attack.
- Recovery – Design a backup and disaster recovery (BDR) plan and business continuity plan (BCP) in case of major downtime or a disaster.
At the end of the day, the aim is not merely to secure data. The goal is to have a business that is resilient enough to withstand breach attempts and malicious attacks and come out stronger on the other side.