When it comes to security in the public cloud, you're on your own. Your cloud provider will not help protect your systems from hackers and other attacks beyond protecting its own infrastructure. However, with due diligence you can minimize your risks.
You have a significant role in security if you have servers in the public cloud. Do you know what that role is? It's the role of security manager, and it's a big job. What the job entails might be more than you're ready for -- particularly when you know that you have certain legal obligations and liabilities to maintain security on those systems. Yes, you read correctly. Your company has liability for security breaches that result in loss or damage to consumers or users of your systems.
Due diligence is your best defense. By complying with all computer data and security legislation, plus providing your dated documentation, you'll reduce your risk to near zero. While historically many such cases against companies haven't proven successful, new precedents and laws are in flux in these matters.
So what is due diligence when it comes to computer security, and how can you minimize your risks? The following guidelines will help you toward that end.
When it comes down to legal defense, your best defense is a strong offense. He who has the best documentation wins in courts of law. Draft written policies and procedures that define best practices, schedules, frequencies, and sources of security patches, updates, service packs and hot fixes. Implement those procedures with adequate documentation (i.e., dates, times, personnel, phone records and written summaries), and keep them readily available for easy shipping to your attorney's office.
Your personnel should perform maintenance patching on at least a quarterly basis. However, you should apply security patches as soon as vendors release them to you. A vendor-supplied security patch means they've uncovered a security flaw, and it's worth the time to notify you about it. You should practice the same amount of diligence with your server system's security patching as you do with your personal antivirus updating. In other words, assume all security patches are critical.
3. Security Management
Other than malware, viruses and Trojan horse programs, network breaches are the most common type of security compromises. Network security begins at your border routers and firewalls, and it ends at your server systems. Maintain a high level of vigilance with network security and intrusion detection services. Several excellent software packages are available to alert system administrators to changed files and to alert network administrators of any interesting connections to protected data stores and systems.
Some breaches and thefts come from inside the company itself. These breaches are difficult to prevent because of the number of people who support protected systems. However, access logs will provide investigators with enough information to catch the responsible culprit.
Most of the lawsuits filed against companies by individuals have failed to produce any damages or remuneration for the plaintiffs. They failed because the company responsible for the breached data demonstrated it had measures in place to prevent such occurrences and to mitigate them as they happen. In addition to showing due diligence in these matters, companies have also shown forthrightness in reporting breaches to customers and the public. Therefore, companies that have had data stolen generally are held not liable unless the circumstances are unusual.
Full disclosure and due diligence are the best defenses for companies that house or collect personal information. Your best defense is to maintain vigilance on your accounts and information in case of breached data. Contact the company immediately and change your account information.
Diligent Incident Reporting
- The type of information and number of records
- The circumstances of the loss
- Action taken to mitigate the breach
- Details of the breach investigation
- Regulatory bodies informed of the breach
- Preventative actions taken
Maintaining cloud-based server security isn't easy. It requires extreme caution and focused attention. If you're housing sensitive data on public cloud servers, you should expect hack attempts, denial-of-service (DOS) attacks and internal security breaches. By expecting them, you'll learn to disrupt them. Failing that, have a plan in place to fix what's broken when it breaks, be ready to tell everyone that it broke, and prepare how you will inform the media and your customers how you're fixing it.
Ken Hess is a freelance writer who writes on a variety of open source topics including Linux, databases, and virtualization. He is also the coauthor of Practical Virtualization Solutions, which was published in October 2009. You may reach him through his web site at http://www.kenhess.com.
Follow ServerWatch on Twitter