8 top tips for protecting your data when using Cloud applications
Even the largest corporations have had difficulty defending themselves against targeted data attacks from ‘hacktivist’ groups, highlighting the importance of ensuring sensitive data is kept secure.
With a significant rise in the popularity of cloud-based CRM and other corporate applications, many companies have devolved responsibility for the security of their data to the cloud application’s user access infrastructure. However, this can often be insufficient – particularly when only a password and username is required to access critical data.
IT security expert Chris Russell, offers some advice on locking down access to cloud applications, enabling your business to lever the benefits of cloud-based services:
1. Ensure users’ credentials are not stored within the application
Storing user information along with a cloud-based application is risky. Just one successful hack can leave the digital identities of your entire database compromised. The only way of ensuring that users are protected is by retaining local control of users’ digital identities within the corporate environment.
2. Do not rely on usernames and passwords to protect critical data
Many hack attempts are successful because attackers only need to crack a simple username/password combination. This makes it easy for anyone, even those with not much more than basic IT skills, to crack a system’s security shield.
3. Two-factor authentication should be the minimum standard
Strong authentication solutions add an additional layer of security to a corporate network. Adding a second tier of authentication – based on something that only the authorised user knows, combined with something that they have – means that IT managers can be confident that anyone accessing the network is the person they say they are.
4. Authenticating mobile devices is not enough
Increasing numbers of organisations have started migrating from token-based legacy systems, in favour of cheaper and simpler mobile phone-based options for their two-factor requirements. A number of solutions send a one-time-code as a text message to the user’s phone.
While this is a more secure approach than that offered by usernames and passwords, it does not confirm the identity of the user – only that the phone was present. For maximum security the user needs to apply something only known to them, to confirm they are who they say they are.
5. Authentication should be an enabler not a blocker
For authentication to be effective it must not add more than a few seconds delay to the access process and must be as simple to use as possible. Typically the more hoops that a person needs to go through every time they log-on to their desktop or application, the more people will look for a way around it.
6. Education, education, education
Many people associate hacking with sophisticated, technical know-how or clever Trojan software, yet most successful attacks result from nothing more than a simple phone call to an unsuspecting employee. In large organisations a classic example is pretending to be someone from IT doing routine maintenance.
Every person within an organisation needs to be fully aware of their responsibility for security and must be on their guard for the latest social engineering scam. If a call sounds suspicious, it probably is.
7. Two-factor authentication is for everyone, not just the boss
Traditionally, the trend with two-factor authentication has been to provide individuals with personal ID tokens. Their high up-front investment and support costs however, have in many instances led them to be reserved for specialist user groups – while other employees have continued logging into corporate applications with usernames and passwords alone.
Today’s cheaper, token-less authentication platforms enable all employees to adopt the same standards. With two-factor authentication in place across the whole user base, one person unwittingly revealing their use name and password credentials will not compromise the whole network.
8. Seek out expert advice
Today’s sophisticated hackers are continually finding new ways to circumvent firewalls, intrusion detection systems and AV technologies. With many companies moving more of their core applications to the cloud, security has to be right at the top of the planning agenda.
Fortunately there are now value-added resellers and system integrators that have recognised this need and have geared up their specialist capacity in this area.
Security is too important to leave to non-specialists and should be a central requirement for any organisation’s IT infrastructure.
Chris Russell is the vice president of engineering at Swivel Secure, a provider of two-factor authentication technology