TECH INTELLIGENCE: Get off of my cloud

Moving operations off of local devices offers many advantages, but also poses risks

Carl Mazzanti//May 1, 2023//


TECH INTELLIGENCE: Get off of my cloud

Moving operations off of local devices offers many advantages, but also poses risks

Carl Mazzanti//May 1, 2023//

Listen to this article

Many IT service providers urge their clients to move their digital operations and data off of local devices and onto the cloud, a system of servers in data centers that may be dispersed all over the world. The pitch typically includes selling points like security, since virtual private clouds, encryption and other features can help keep data secure.

It sounds great and migrating to the cloud can offer a lot of cost savings and other benefits — but like everything else, security measures are only as good as the people who provide them. Recently, users of Mailchimp, an email and marketing automation platform owned by tech giant Intuit, figured that out when the company announced that “an unauthorized actor” had accessed a tool “used by Mailchimp customer-facing teams for customer support and account administration.”

The hacker supposedly only gained access to a limited number of accounts before preventative measures were taken. But the cyberattack highlights the fact that operating in the cloud does not, by itself, guarantee security. Indeed, the degree of protection offered by cloud security service providers, like other cybersecurity, depends on a layered approach that addresses a variety of issues.

One basic step involves researching the cloud provider itself.

Being proactive: Does the organization invest in security and take preventative measures, like having dedicated teams to track how security threats and attacks change over time so the provider can evolve its defenses?

Maintaining data security: When data moves from the client’s computer into the provider’s cloud, is it automatically encrypted? Encryption means that even if the data is somehow intercepted, it will not be accessible to anyone who does not have the file-specific encryption key.

Limiting access: How secure are the provider’s facilities? Ideally, the only people with physical access to the servers holding client data will be those doing maintenance on them.

Security is not all on the cloud provider, however. Internally, companies should be taking appropriate steps to reinforce their digital security. Best practices include:

Strong passwords: They should be reasonably random and complex (which rules out “Password,” “123,” birthdays, or addresses). They should also change periodically. Unique passwords should be developed for different applications — if one account does get compromised, other applications will still be safe.

Limit access: File permissions should be restricted so an individual’s ability to access a file is based on their need to see it.

Know your employees and partners: Employees and partners should be periodically vetted for any potential security concerns.

Train your employees and inquire about your partners’ training: According to Mailchimp, the bad actor “conducted a social engineering attack on Mailchimp employees and contractors and obtained access to select Mailchimp accounts using employee credentials compromised in that attack.”

Social engineering or “phishing” schemes try to trick users into giving up sensitive information or clicking on links that load viruses or malware onto their system, which enables the bad actor to gain access to sensitive files. To guard against this, companies should periodically educate and train their employees – and conduct inquiries about their partners’ training and testing –regarding these kinds of attacks. The periodic educational sessions may also be supplemented by having a cybersecurity managed services provider conduct simulated attacks and penetration testing to identify any vulnerabilities.

For example, a penetration tester, or “pentester” may send employees an email with a link to files that have malware. Another test involves sending staff members an email advising them they’ve won a vacation — but if they click on the link, the pentester gets access to the target’s corporate account. Tests like these will generally include analytics on how many employees clicked the bad link and which employees were the biggest threat to company security.

eMazzanti Technologies President Carl Mazzanti

Cloud-based systems offer a new level of efficiency, cost-savings, convenience, and – when constructed and maintained properly – security. But everyone, from technology providers and policymakers to business owners and employees, has a role to play when it comes to securing sensitive data. Forward-thinking organizations will make smart, proactive security decisions to protect their business.

Carl Mazzanti is president of eMazzanti Technologies in Hoboken.