Today’s enterprise is mobile, flexible and elastic. Many organizations utilize mobile apps for business applications, hire remote employees, use smartphones or tablets, store information in the cloud, communicate their data with multiple offices and employ contractors. All of these cases rely on access to data from any location. With all of these endpoints to cover, how can you best protect your assets?
According to the report, The Treacherous Twelve: Cloud Computing Top Threats in 2016, “A single vulnerability or misconfiguration can lead to a compromise across (all customers in) an entire provider’s cloud. The compromise of an integral piece of shared technology such as the hypervisor, a shared platform component, or an application in a SaaS environment exposes more than just the compromised customer; rather, it exposes the entire environment to a potential of compromise and breach. This vulnerability is dangerous because it potentially can affect an entire cloud at once.”
In order to protect this massive amount of mobile data and information that lies in shared and mobile environments, there are a few key security tenants to master.
Enterprise Mobility and Protecting Your Data
1. Segregate Your Data Logically
Part of protecting your data is to segregate it strategically. The Open Web Application Security Project (OWASP) notes in its Cloud Top Ten Security Risks that security for mobile, shared technology and multi-tenant environments should focus primarily on the logical segregation of customer environments. For example, IT security managers should:
- Identify if enterprise data is mingled with data from other customers in tables or backups, making it difficult or impossible to properly archive or destroy.
- Ask the cloud provider to ensure that all customers hosted on the same physical server maintain a similar security posture, so attackers can’t enter through the weaker customer’s cloud and leak into the more secure enterprise’s cloud.
2. Perform a Comprehensive Security Audit
OWASP also recommends that enterprise security managers perform a security audit or assessment of its cloud environment, in part covering administrative access to all layers (operating system, networking, application, databases). The audit should also cover architecture, data encryption and management. If your cloud service provider won’t allow you to conduct an audit, OWASP suggests the enterprise should request security testing by an independent third party.
A security audit determines whether your cloud provider is following industry best practices, such as patching and updating operating systems and applications. An audit might even reveal surprising areas where the cloud provider has security controls that your enterprise lacks.
3. Isolate Customer Data and SystemsAre you properly isolating your organization’s most crucial customer data, especially in a mobile environment? Much of the burden here falls on your cloud host. A cloud provider must carefully isolate data and systems for each customer at the infrastructure level, so vet your chosen provider to make sure they are doing this. In a multi-tenant environment, a provider must ensure that an attacker cannot escape an instance of an operating system, gain administrative-level rights on the server, and access another customer’s instance on that server.
4. Detect Issues EarlyEarly detection of potential security breaches in a mobile enterprise is crucial for a strong security strategy. For example, Microsoft Azure uses “innovative behavioral analytics and anomaly detection technologies” to alert customers of vulnerabilities. By monitoring activity on the network and knowing what red flags to look for, your IT manager will be able to stay on top of threats as they arise.
In order to truly protect your most sensitive data, we recommend not placing it in shared environments or on mobile devices. Hold your cloud providers accountable for security, so your security managers can manage the risk that someone can interfere with your cloud or network operations. To further protect integral systems, enterprises should follow security best practices to protect both cloud and onsite information.NEXT STEPS: Read our tech brief for additional tips and best practices for protecting data in multi-tenant environments -- Cloud Security Tips for Protecting Shared Technology.