I recently had a conversation with colleagues who work in roles related to Cloud Technology but not in a technical capacity. Our conversation focused on Cloud Security – why it is important and what key concepts they should understand.
Why it is important.
For those working with Cloud Technology, but not in a technical capacity, it may not be your core responsibility to answer deep-dive questions about cloud security,.. we have I T Security and Compliance teams for that. However, it can be refreshing for clients (internal and external) to know that we think about cloud security and that we are not completely ignorant on the topic.
If you are just getting started on your journey to understanding cloud security, and you’re figuring out where your role as a Technology professional ends and your I T Security and Compliance teams responsibility begins, here are five things that you should know about Cloud Security to get you started. I encourage you to research each topic and to begin discussing it with others.
1. Shared Space.
Publishing software and services on a cloud platform, and making it accessible over the web, often means that your “digital stuff” sits on the same physical computing machine (computer or server) that is also used by other entities. However, it is done so in a way that each entity is contained in its very own container (container = a self-contained virtual space) that is not aware of the other containers on that machine. This also means that good cloud providers ensure that processes are in place to prevent other customers from accessing your container.
2. Trusted API Platforms/Environments.
An Application Program Interface (API), is a layer between different parts of a computer program. It is intended to simplify the process of connecting to a program or computing system. Though companies can build and host their own API, it is now very popular for companies to use an API Management Platform or a Cloud API provider to give their customers a simplified way to connect to their services and data. Using an API Management Platform or Cloud API provider can help protect an API from hackers and help manage how internet traffic impacts your applications. It is important to ask which API Management Platform or Cloud API environment is being used when connecting your application to another company’s API. Do you trust the API Management Platform or Cloud API environment that they use?
3. Secure Transfer (HTTP vs HTTPS).
HTTP stands for HyperText Transfer Protocol. HTTP uses a specific set of procedures, known as Transfer Control Protocol (TCP), to send and receive data over the web – allowing computing machines to communicate with websites. HTTP is typically thought of as an unsecured way to communicate over the web even though security measures can be put in place to protect it.
HTTPS stands for HyperText Transfer Protocol Secure and it also uses TCP to send and receive data over the web but it has an extra layer of security in place that tells web browsers (Chrome, FireFox, Safari) that the connection is trustworthy. HTTPS does this by issuing an SSL Certificate (Secure Sockets Layer Certificate), which is authenticated and signed by a Certificate Authority (CA). A CA is like a Judge who writes a court order indicating that the way your website sends and receives data over the web is trustworthy and that order has the Judge’s signature on it so everyone knows that it is official. Overall, a website that uses HTTPS means that it is connecting to your machine in a secure way and that secure connection is indeed trustworthy.
Note: It does not mean that those who created the website do not intend to do harm to you. It just means that the data sent between your machine and the website will not be seen by those scanning the public web.
Note: Each web browser has a specific list of Certificate Authorities that it trusts. Typically, when you see a padlock symbol in the top left corner of the browser then the website that you are visiting is using HTTPS and has a certificate signed by a Certificate Authority that the browser trusts.
We often talk about encrypting data at rest and in transit. However, we often don’t ask how it is being accessed by services and applications within the same entity. What happens when two cloud applications owned by the same company, on the same server and/or in the same container talk to one another? What happens when data is deleted? Start asking these questions.
The greatest security threat is employees. Your company should have a training plan to educate employees on how to handle potential cloud security threats, a knowledge base library for where to learn about the topic and directions on who to contact in the event of a potential threat. As for the training strategy for non-technical employees, its very simple: Train them on security and then train them again … and then train them again.
If you have more cloud security topics for Non-Technical Technology Professionals that you’d like to share, feel free to message me via Linkedin.