Defending Your CannaBusiness Data Within the Cloud

November 10, 2017

3385

As the cannabis industry continues to expand its reach worldwide, its fledgling companies will look to both cut costs while seeking out scalable, flexible solutions for their IT needs. They enter into the age of cloud computing, where services such as Amazon Web Services, Microsoft Azure and Google Cloud Platform offer unparalleled storage and processing power to any and all comers. One can’t argue with the increased efficiencies these services offer: users forego the costs of hosting dedicated technology and pay only for the server space they use. And as their business expands, so can their onboarding of digital resources. What’s not to love?

The devil in the accompanying details lies in security. Too often, business owners mistake “being in the cloud” for an adequate security strategy. Cautionary tales abound of public cloud cyber attacks and data exposures that rival the enterprise hacks of Equifax and Home Depot. In 2012, a cyberattack directed against Dropbox yielded the email addresses and passwords of 68 million users. Online security services routinely find sensitive customer data on AWS cloud servers exposed due to poor configuration, such as Verizon’s exposure of 14 million customer accounts or Patient Home Monitoring’s exposure of 150,000 patient records, just to name a few. Small businesses are especially vulnerable to such breaches; they face lost productivity, lengthy (and expensive) remediation phases and reduced good faith within their markets as consequences for their misfortune.

We at GeekTek embrace the opportunities and efficiencies afforded by cloud technologies. But with these advantages come significant risks, similar to the issues we discussed in Part One. So whether you’re beginning your move towards a public, private or hybrid cloud solution or wish to bolster your existing security profile, you’re strongly recommended to implement these security protocols.

Protect your local network and endpoints: Cyber criminals can enter into your cloud on multiple fronts. They certainly won’t ignore your employees and their devices, especially if you do. Therefore, endpoint encryption of sensitive data on each employee’s device is critical. In addition, all of your employees should recognize common phishing/spearfishing attacks. The Anthem hack, which hemorrhaged 78.8 million user accounts, stemmed from a single employee clicking on a malicious link. Once a single point on your network is compromised, your cloud is next.

Secure your cloud infrastructure: While public cloud services such as AWS provide some basic security, you need to have an active firewall with IPS (intrusion prevention system) and IDS (intrusion detection system), even in the cloud. All devices in your local network should be behind this firewall. All outward-facing machines should be placed in a DMZ (Demilitarized Zone).

Use two-factor authentication: Two-factor authentication, which requires a separate, one-time code in addition to one’s password, is offered by Google and Facebook for their personal user accounts and is standard in many cloud services. We strongly advise enabling this, and using a third party 2FA solution as necessary to fill the gaps. Your business must implement this to prevent the most obvious attacks from succeeding.

Then, use single sign-on: In addition, single sign on authentication, which enables access to all applications with one coupled username/password pair, rather than several, simplifies the process of access control. One only has to revoke privileges of one account, rather than several, to cut off a rogue or compromised user in your network.

Use white-lists of approved cloud apps: IT professionals currently struggle with the proliferation of “shadow IT,” which include cloud-based applications not thoroughly vetted by an IT department. Not every app one can procure on the Android or Apple App Store is benign. White-listing approved apps, and holding your team to it, can save countless headaches down the road.

Use VPNs when accessing the cloud: Transmitting data from one endpoint on your network to any cloud, be it public or private, must utilize a virtual private network connection. This encryption shields your data in transit, where the threat of interception by an interloper is high. In addition…

Data must be encrypted at rest: Even if one’s data is sent through a secure VPN, it means little if one’s cloud is hacked and one’s data is available in its raw, easily interpreted form. This made the job of the Equifax hackers even easier once they gained access to the credit bureau’s system. Don’t let their mistake be yours.

Utilize Mobile Device Management (MDM) on all mobile devices: Nowadays, work is portable. It can be done at your office, or it can be done at the local Starbucks. But what if your employee loses his/her laptop, or it gets stolen? MDM tracks all mobile devices on the network. One can pinpoint it geographically or, if need be, wipe all data from the device remotely. Especially for cannabis verticals like delivery and distribution, this solution should be standardized for all participating businesses.

The cannabis industry is not unique in its data security needs, but it is uniquely vulnerable to the legal and social fallout that emerges from a data breach. Eventually, once your data grows, you will need to manage your IT full time – or find some dedicated company, such as my company, that can. But if you plan to manage the cloud yourself at this early stage in your company, understand that even public clouds such as AWS or Google don’t defend themselves. You will need to go above and beyond by learning and implementing the basics of digital security to keep your data safe.