Welcome to the new Energy Central — same great community, now with a smoother experience. To login, use your Energy Central email and reset your password.

Intelligent Utility
Julian Jackson
Julian Jackson
 · Posted in Intelligent Utility

Best Practices for Cloud Security in 2023

More utilities are looking towards cloud data storage these days: this technology has many advantages, but also requires greater cognizance of security issues. When data centers were in-house the organization concerned was solely responsible for cybersecurity. With a cloud-based system, there is a shared responsibility. This article delineates some of the main security challenges of 2023

 

1. Understand the Shared Responsibility Model

The shared responsibility model has the cloud customer ultimately responsible for cloud security, but the cloud services provider takes on some security responsibilities. Leading IaaS and PaaS providers, such as AWS and Microsoft Azure, provide documentation to define roles in various deployment situations. It is important to understand where responsibility lies, and ensure that best practice is followed.

 

2. Ask a Potential Cloud Provider Detailed Security Questions

In addition to clarifying shared responsibilities, organizations should ask their public cloud vendors detailed questions about the security measures and processes they operate. The goal is to identify a provider whose security fits hand-in-glove with your own needs.

Important questions are:

  • Where do the provider’s servers reside geographically?
  • What is the cloud data protocol for suspected security incidents?
  • What is the provider’s disaster recovery plan?
  • What measures does the provider have in place to protect various access components?
  • What level of technical support is the provider willing to provide?
  • What are the results of the provider’s most recent penetration tests?
  • Does the provider encrypt data while in transit and at rest?
  • Which roles or individuals from the provider have access to the data stored in the cloud?
  • What authentication methods does the provider support?
  • What compliance requirements does the provider support?

If these answers are not satisfactory, then it is advisable to look for a different provider: the marketplace is large and so this should not be difficult.

Inadequate security measures might expose a utility's data to illegal access, theft, or data loss. This puts an organization's data confidentiality, integrity, and availability at risk. At worst it could imperil power supply to consumers and invite financial and legal problems.

 

3. Use an Identity and Access Management System

Unauthorized access is a major concern with public cloud security. Organizations should deploy comprehensive identity and access management systems to minimize risk.

Companies need to enforce access based on the concepts of least privilege and zero trust. This entails restricting user access to only what is required for their tasks and approaching all access requests with care. Privileged access management (PAM) can help secure access for the most sensitive accounts.

 

4. Train the Staff Regularly

To prevent hackers from obtaining access credentials for cloud accounts and services, firms must train all employees on how to identify and respond to cybersecurity risks.

Organizations should implement cybersecurity awareness training for all staff, addressing issues like these:

  • Identifying cybersecurity threats
  • Creating strong passwords
  • Recognizing social engineering attacks
  • Risk management

The training should emphasize the risks of “shadow IT”, which is where employees utilize non-approved applications, which can mean opening vulnerabilities to hackers.

Stress the potential risks of shadow IT, which occurs when employees use unapproved tools and devices. See more about this subject here.

 

5. Establish and Enforce Cloud Security Policies

All organizations should have written policies that specify who can use cloud services, how they can use them, and what data can be stored in the cloud. These documents need to specify the security technologies that all staff must use to protect data and applications in the cloud.

Company management should ensure that these policies are circulated, enforced, and revised regularly, as security threats constantly evolve.

Implement a defense-in-depth plan that includes:

  • Firewalls
  • Anti-malware
  • Intrusion detection
  • Access control

Complex endpoint security concerns necessitate automated security tools. Companies need endpoint detection and response (EDR) tools and endpoint protection platforms (EPP). These need to be checked and updated regularly

 

6. Conduct Audits, Pen-testing and Vulnerability Testing

Whether an organization partners with an outside security firm or keeps security functions in-house, it is important to test security constantly. External security testing companies mean that unfortunate issues are brought up and oversight is ensured.

 

Conclusion

Cloud security is a shared responsibility, utilities must understand the best practices and most effective current security strategies. While cloud service providers typically maintain secure environments, the biggest risks will be how employees connect to the cloud and the control of data and access. This puts cloud security within the company's own control and emphasizes how crucial it is to implement cloud security best practices. The ultimate responsibility for security rests with the utility company, but this also means that good security is achievable.