You have a significant role in security if you have servers in the public cloud. Do you know what that role is? It’s the role of security manager, and it’s a big job. What the job entails might be more than you’re ready for — particularly when you know that you have certain legal obligations and liabilities to maintain security on those systems. Yes, you read correctly. Your company has liability for security breaches that result in loss or damage to consumers or users of your systems.
When it comes to security in the public cloud, you’re on your own. Your cloud provider will not help protect your systems from hackers and other attacks beyond protecting its own infrastructure. However, with due diligence you can minimize your risks.
Due diligence is your best defense. By complying with all computer data and security legislation, plus providing your dated documentation, you’ll reduce your risk to near zero. While historically many such cases against companies haven’t proven successful, new precedents and laws are in flux in these matters.
So what is due diligence when it comes to computer security, and how can you minimize your risks? The following guidelines will help you toward that end.
When it comes down to legal defense, your best defense is a strong offense. He who has the best documentation wins in courts of law. Draft written policies and procedures that define best practices, schedules, frequencies, and sources of security patches, updates, service packs and hot fixes. Implement those procedures with adequate documentation (i.e., dates, times, personnel, phone records and written summaries), and keep them readily available for easy shipping to your attorney’s office.
Your personnel should perform maintenance patching on at least a quarterly basis. However, you should apply security patches as soon as vendors release them to you. A vendor-supplied security patch means they’ve uncovered a security flaw, and it’s worth the time to notify you about it. You should practice the same amount of diligence with your server system’s security patching as you do with your personal antivirus updating. In other words, assume all security patches are critical.