A recent incident has left the voting records of 198 million Americans exposed. The data included the names, dates of birth, addresses, and phone numbers of voters from both parties. It also included voter’s positions on various political issues and their projected political preference. Although it is not unusual to collect this type of information, it should raise alarm bells that the platform hosting this data was not secured. This is the largest known data exposure in the United States, leaving the sensitive information of millions of Americans unprotected.
When it comes to protecting personal information and sensitive data, extensive measures should be taken to keep the information private and secure, however, that’s easier said than done. The growth and popularity of cloud solutions continues to drive more data beyond traditional IT security protections – into network environments no longer owned, managed or controlled by corporate IT teams. On premise IT security controls do not touch the cloud, leaving customer data at risk from the same types of threats targeting applications in corporate data centers.
While cloud providers deliver strong security controls to protect the cloud fabric, they have no knowledge of “normal” customer traffic and thus are unable to determine malicious content or activity from benign. To fully embrace the cloud, it is essential to understand where the balance of responsibility lies between protecting the cloud infrastructure (incumbent upon the cloud provider) and protecting the data that resides in the cloud (incumbent upon the customer). Security controls must now be shared between cloud providers and anyone using the cloud, thus it’s a common misconception to assume your cloud data is secure in and of itself. To avoid unintentional exposure or leaks of information in the cloud, you should employ the following best practices:
- Don’t assume your data is “automagically” protected – it can’t be expressed enough; it’s your responsibility to secure any data you place in the cloud. Cloud services are just like any other IT component which must be managed and secured using policies.
- Encrypt everything – the best strategy in the cloud is to use strong encryption for data in transit and at rest; anything less is not worthwhile. When using the cloud, all data and metadata should be encrypted at the edge, before it leaves your premises and makes its way to the cloud. A good rule of thumb is trust no one in the cloud, only yourself.
- Establish and enforce strong access control policies – Cloud providers are only responsible for safeguarding the infrastructure and not the customer environment (remember cloud security is a shared responsibility), thus it is up to you to put in place the correct safeguards to prevent unauthorized access.
- Avoid default / weak passwords – with so many cracking tools available today, anyone using the cloud should get in the habit of utilizing strong passwords. In particular, it’s wise to use passwords with more than 10 characters, incorporating multiple words and symbols.
With so much information now being virtually stored, we need to actively take the proper measures to protect our data in the cloud. Organizations should ensure cloud security is a top priority, as the RNC exposure is just one example of what could happen to many businesses if they leave their cloud data unprotected. Through diligent management, awareness, proper governance, and regular security updates, we can dramatically improve the security of our cloud-based assets and ward off future storms.