Below is one of Tom K's articles that we have used to frame our thinking about Security. I hope that you find it useful and if you do have a need for expert services, please reach out to Tom K. If you have questions about Barefoot and our cloud-based system, please contact us at firstname.lastname@example.org.
Security When In the Cloud
By Tom K
We’ve all been hearing “You’re safe when you’re in the Cloud!” from Cloud system vendors with increasing frequency. It’s just NOT TRUE! Just because some of your services may be hosted off site, your data is no less vulnerable. You can’t afford to let your guard down.
In this month’s newsletter I point out the security threats you need to be aware of in the Office and in the Cloud, and how to mitigate their effects.
In the Cloud?
Most environments are now hybrids, having some IT elements in the Cloud and some in the local office. We still see a few companies utilizing no cloud services and fewer having all of their IT services in the Cloud. But regardless of the percentage of services/data you have moved to the Cloud, as long as you have PCs and Users, your company and your data is at risk. Moving some or all of your services and data to the Cloud just adds additional threat vectors to the mix.
Users - your #1 Threat Vector
You all have staff. Most of the issues we see (both in the Office and in Cloud based systems) are caused by Users - through Ignorance, Carelessness, and occasionally through Maliciousness.
Ignorance relates to Users not being informed as to what is acceptable or unacceptable use of company computing resources (if you haven’t told them they can’t, you can have no expectations that they won’t), and not understanding cyber protections (if you haven’t taught them the pitfalls, you can’t get upset when they do something foolish). The ignorant user can put your company’s local and Cloud data at risk without a clue!
You should provide clear guidance to unacceptable use of company resources through a published Corporate IT Use and Abuse policy (see Employee IT Use & Abuse Policy).
Consider different methods of educating your staff, like monthly Lunch & Learns, and weekly required readings. Present articles that are entertaining as well as informative to keep them interested, like Phishing Got ME!!!
Carelessness relates to staff inadvertently changing, damaging, or deleting files or data. It doesn’t matter whether the data lives On-Premises or in the Cloud, if they can get to it, eventually someone will have a mishap.
You can mitigate inadvertent data damage by limiting access to data by user role. Only Accounting folks can get to Accounting data, and only Rentals staff can get to Rentals data. We’ve found that when they own the data they can get to, they are much more careful with it. See how to set this up here: Simplify Data Organization and User Management. While the article was written for On-Premises file storage systems, the concepts transfer well to Cloud based file storage, as well as Cloud PMS systems. And don’t give your reservationists administrative access to your Property Management Systems. Only allow access to what they need to do their job!
But, no matter how well you protect access to your data, at some point someone will mess something up. Hence, the absolute importance of Backups! If any of your data lives on site, you must have a backup system in place, and you must test it regularly (see Backup the Company Jewels!)
If you have data in the Cloud (email, PMS, file storage, web site pages and content), ensure that the vendor responsible for your Cloud data is backing it up. Get written confirmation in your contract as to the frequency and manner of backup, what kind of systems are used, how often it is tested, and the BU system’s granularity (if a single file or email or reservation record is damaged, can that single element be easily restored). Some vendors charge extra to back up “everything”, and some charge extra to restore data that was not damaged due to their neglect, so make sure you understand their terms.
Maliciousness is pretty clear cut. An employee gets angry and slices your tires and trashes your data. Controlling access to your data by user role as mentioned above is a good first step, but ensuring all of your employees have secure passwords (and don’t share them) is also very important. It doesn’t matter if you’ve isolated access to your financials if the accountant’s password is her husband’s first name. (See Secure Passwords). This is just as important with your data systems hosted in the Cloud. Insure that the Vendor requires secure passwords, and that each Cloud system user has to have a unique ID and password.
Taking this a step further, ensure that your administrative accounts (locally and on your Cloud systems) have very secure passwords and that they are known by very few senior staff.
I mentioned the Corporate IT Use and Abuse policy earlier as a device to educate your users. It also plays the role of protecting your data and your legal rights. The policy should state that all data belongs to the company (whether stored locally or in the Cloud), it can’t be deleted without authorization, and the company has the right to access any files or emails stored on company systems. While these protections may not stop an unhappy employee from being malicious, it will give you rights to prosecute him and examine everything he has left on your systems.
And while having excellent backups of all your data as discussed above can restore the damage to your data done by the malicious employee, those same backups can also provide an historic paper trail of the past personal information he has stored on and deleted from your systems if you need to go after him.
PCs – your #2 Threat Vector
You all still use PCs/Laptops/Macs and they continue to be the #2 Threat Vector in your environment. Most “nasties” that arrive in an environment arrive via an end-user device. No matter where your services are hosted, you need to keep these end-user devices protected. If a single PC is controlled by unauthorized Remote Access or through a Virus/Trojan, the bad guy is just one step away from your Company Jewels, be they on a local server or in the Cloud.
As I’ve mentioned in previous articles, the best end-user device protection is provided by centrally managed Anti-Virus, OS and Software Updates, and Spam Removal systems. These very important protections are detailed here:
Protect Your Company from Viruses and Malware with Enterprise Anti Virus Systems
Centrally Manage Microsoft Updates Across Your Enterprise
Got Spam? Eradicate Spam and Email Viruses BEFORE they get to Your Environment
You also need to ensure that the local PC firewalls are active, or that properly configured perimeter firewalls are protecting your offices.
Finally, provide strict controls on who installs Remote Access software on what devices, and the strength of passwords used when setting up Remote Access to company devices, as noted here: “Hacked via Remote Access!”
If you have servers on site, put them behind a locked door. If you are trusting your data to the Cloud, ensure that the server on which your data is being held is physically secured within a physically secured facility.
When your data is hosted On-Premises, you know you are responsible for it and you take all steps necessary to ensure its safety. When data is in the Cloud, the data owners often assume that the vendors taking responsibility for this critical data are taking the same extensive steps to ensure its safety. Sometimes this is the case, sometimes it isn’t...
As the owner of the data, be it your email, financials, property management data, document systems, etc, it is your responsibility to perform due diligence and vet those vendors who are holding your data. Some things to investigate or possibly have clarified in your contracts are:
- Physical security of the Facility
- Physical security of your data and the server on which it lives
- Where will your data live (Topeka or Beijing?)
- Access restrictions (physical and electronic)
- Network Security
- Backup systems
- Anti-Virus systems
- If email systems, Spam protection systems
While vetting a Cloud system vendor, you also need to be concerned with the availability of your systems, be they for internal use or Client facing. Be sure to investigate:
- Facility Resiliency (redundant power, backup power, generators with fuel for xx days)
- Network Resiliency (redundant high bandwidth Internet connections)
- System Resiliency (fail-over systems or load balanced systems in multiple locations)
There is a lot here, but it is important to understand that your data is at risk no matter where it lives. And, you are ultimately responsible for its safety, as your company’s continued existence depends on it.
If you have any questions or concerns with this material, or would like assistance addressing any of the elements covered, I’ll be happy to discuss this with you at your convenience. Feel free to contact me at TomK@TomKConsulting.com, or via my cell 443.310.5110.