In recent years, enterprise computing architectures have seen significant changes as organizations have started migrating their business apps and data to the cloud. As a result, traditional security approaches have become insufficient to protect the integrity of the business data in the cloud across devices, apps, networks, and cloud services. In this post, we present a checklist to help organizations understand the best practices for designing a security architecture that can better protect cloud data across the enterprise. However, we recommend that all organizations should still conduct a separate analysis of their cloud architectures to identify potential security gaps and ensure the current deployment meets relevant industry compliance requirements.
1. Enforce encryption and password protection
Password protection is like locking something in a safe deposit. It means that nobody can access the locked content without the right combination. This method is used for separate documents, folders, and other data that the computer user may want to protect against any other person accessing the device. The problem is that if someone gets the password or finds a way to open it, the content could be revealed despite the effort by the owner to keep it hidden. Unfortunately, hackers can get a password or hack in many different ways.
The encryption of passwords is a step forward from password protection. When you set up “password encryption,” you create a password, and it is encrypted in a file. A specific decryption key or password is required to reverse the process and to decrypt the data. Encryption is a requirement under the United States’ Health Insurance Portability and Accountability Act (HIPAA) and GDPR. In order to protect against unauthorized access, organizations should also use Multifactor Authentication (MFA) and biometrics such as fingerprint or facial recognition to support the device.
2. Prevent business apps from sharing data with personal apps
Smartphone users have long suspected that some apps listen to their conversations to target ads for them. Several Android apps can share images and video data with third parties without your knowledge. For example, in business emails, end users can receive attachments and then open these documents in other applications such as PDF readers or document editors. When an application opens a document, the app can then store or transmit it outside IT control. Therefore, IT needs to apply restrictions to prevent users from copying and pasting business content into personal apps, or from sending corporate files and email attachments to private cloud drives or email addresses to prevent unauthorized data sharing. No company app on the device should be allowed to export data to a personal application.
3. Automatically delete business data from compromised devices
Mobile devices often fail to comply with security problems such as jailbreak, rooting, or malware. Remediation measures should be automated and should not require any manual IT intervention. If the compliance problem is severe, the business data should be removed from the device automatically. Compliance with closed loops is crucial for risk mitigation from detection to remediation. The longer a compromised device contains business information, the higher the risk of a violation. Without deleting personal data, IT should be able to remove the business data on the device for privacy protection.
4. Tunnel business traffic without tunneling personal traffic
Like we discussed in the previous point that requires the separation of business, and personal data on the device, tunnel business traffic requires a similar separation in the network. A device-wide VPN can send business and personal data through the corporate network, which can jeopardize personal privacy. On the other hand, a per-application VPN can be configured to send only business app traffic via the corporate network, thereby protecting this traffic while maintaining the data privacy of the end-users’ personal communications.
5. Stop unauthorized devices from accessing business cloud services
Most organizations operate business cloud services from multiple vendors. If an unauthorized device gains access to any of those services, the data becomes vulnerable and can go out of control of the IT. This often happens when an end-user downloads a company app to a personal device for convenience. Unless IT can delete apps and control data sharing on that device, business data should never be on any device. IT must be able to implement these security controls throughout its business cloud services, irrespective of the supplier so that it can prevent unauthorized devices access to business data.
6. Stop unauthorized apps from accessing business cloud services
IT must ensure the security of all devices and applications that have access to the cloud service. The data can be lost if the device is safe, but the app is not secure. It can happen when the users download business applications directly from consumer services such as the Apple App Store or Google Play rather than from an internal company app store. Though the app appears to be the same and runs on a safe device, IT will have no control to delete or how it shares data. IT must also stop unlicensed applications from accessing any business cloud services.
7. Detect and remediate zero-day exploits
The prior controls reduce the risk of data loss. Bad actors, however, always discover new vulnerabilities in hardware and user behavior. An ongoing analysis of devices, apps, and network threats allows IT to respond to new threats quickly.
8. Provide rich security controls for all operating systems
It’s not just a Windows world anymore. Today, most companies support a range of operating systems. Older operating systems such as Windows 7 have legacy security tools, while modern operating systems such as Android, iOS, macOS, and Windows 10 have evolved to provide unified, cross-platform security solutions. IT should select a solution that offers rich controls that take full advantage of the native safety frameworks of the different operating systems.
9. Certify for device security
The common criterion is an international standard for the certification of computer security. The Mobile Device Management Profile (MDM) sets requirements on how security policies can be applied on mobile devices to process company data and connect with business network resources. Common criteria are often the requirements of government and high-security institutions.
10. Certify for cloud security
Any cloud-based mobile security solution should have a Type 2 (SOC) 2 report with a detailed description of the auditor’s operational and compliance test. This test ensures that controls on the safety, availability, integrity of processing, confidentiality, and privacy of the provider’s systems are adequate. The FedRAMP operating authority (ATO) is a formal US certification that also recognizes that the supplier has passed the security requirements federal risk management process. IT should confirm that it has these certifications in its cloud-based security solutions.