A recent global study from Intel Security found that during the next year, 80 percent of IT budgets at organizations throughout the U.S. will go to cloud computing services. Even though a lot of sensitive data is being moved to the cloud, it is apparent that the cloud still has its risks. According to the Intel Security study, only 13 percent of IT security professionals completely trust public cloud providers to secure sensitive data, and 66 percent of them believe senior management does not completely understand the risks of storing sensitive data in the cloud.

Risks can be overlooked when assumptions are made about cloud security. Organizations need to be aware that encryption and redundancy are not enabled by default in the cloud, and access to cloud resources still needs to be managed.

The biggest infrastructure-as-a-service (IaaS) cloud is Amazon Web Services (AWS), which hosts big hitters like Netflix, Expedia and Adobe. Among small and medium-sized organizations, other players like Microsoft's Azure and Rackspace are also great solutions and are catching up, , but AWS's documentation is easier to follow and better organized.

Extending Your Controls to the Cloud

Each year, AWS undergoes an examination of the design and effectiveness of their controls environment and receives a SOC 1 (Service Organization Controls) audit report on the adequacy of their controls. So that AWS can achieve its control objectives for the audit, AWS expects its customers to have certain controls. For example, to satisfy its control objectives, AWS requires customers to implement certain policies, procedures and controls, including:

  • Encrypting sensitive data at rest and in transit over the network – Encryption and redundancy are not the default in AWS. If you are storing sensitive customer information in the cloud, you should be encrypting it. Typically, column-level encryption works for most small to medium-sized organizations.
  • Data stored on Amazon EC2 virtual disks should be proactively copied to Amazon EBS and/or Amazon S3 for redundancy – AWS does not backup your data for you unless you contract for that as a separate service. Do not store all of your data in one spot or rely on just one copy. If you are hosting a web application with AWS, you should be taking a snapshot frequently and backing it up elsewhere. You could also send these backups to your locally-hosted servers.

Best Practice

Organizations are also still responsible for identity and access management to the cloud. Some best practices to keep in mind to secure access to your AWS environment include:

  • Lock away your AWS account (root) access keys – The password to the root account should be a long complex password, locked away and only accessible by a limited number of people. Day-to-day administrative tasks should be performed under individual accounts, rather than the root account.
  • Enable MFA (multi-factor authentication) for privileged users – Since the AWS console is web facing, you'll want to enable multi-factor authentication to mitigate the risk of an attacker brute-forcing or resetting your password.

Visit bswllc.com to request a copy of "5 Reasons Your CEO Needs to Make Sure Your Data is Secure in the Cloud." Contact Bill Gogel, IT Audit Manager, Advisory Services at Brown Smith Wallace, at 314.983.1363 or bgogel@bswllc.com to learn more.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.