Cloud Security Threats & Protection with Nicole M. Fellouris

As a Sr. IT Security Engineer and internationally recognized SME in Cyber Security and Cyber Counter Intelligence Operations; Ms. Nicole Fellouris’s career in I.T Security and Ethical Hacking spans over 20+ years. Beginning in 1996 as a pre-med student at the University of California, Irvine., Nicole quickly developed a talent for reverse engineering and ethical hacking, attending her first Defcon in 1998 and receiving multiple recruitment opportunities by both Federal Law Enforcement, Domestic and International Intelligence Agencies. Nicole’s first “C-Suite” position and technology startup experience started in 1999 as CIO of ComponentsDirect.com(VAR). In 2002, she left ComponentsDirect.com to Found Elite Development Group, Inc. Serving as Founder & CEO until sabbatical in 2011, Nicole and team were responsible for 100+ successful cyber threat disruption and incident remediation, in addition to Corporate & Regulatory Compliance Projects. As a Globally Recognized Senior I.T Security practitioner, Entrepreneur and Scientist, Nicole was privileged to receive and accept multiple Board Appointments within the Public/Private and Non-Profit Sectors. BOD appointments included the FBI/Private Industry Partnership organization Infragard, LifeBoat Foundation, OC Chapter of AWT, and Bannon Institute. Various task force participation includes Secret Service’s Electronic Crimes Task Force (ECTF) and OC PTRSG. Nicole currently serves as CISO of Fintech/Blockchain startup Project Halcyon and CEO of Global Cyber Security Consulting and Secure Application Development firm, Halcyon Digital Security Group, Intl.

LIFARS: What are the biggest security challenges of cloud storage?

Nicole: From a security and compliancy standpoint it’s easily the lack of control on the back-end and equally an absence of clear definition of who is responsible in the event of a breach and how that relates to threat remediation and subsequent forensic investigation in regard to attribution.

LIFARS: Could you name some of the cloud insider threats that organizations should worry about?

Nicole: On both the Cloud storage provider side it’s both malicious engineers and accidental misconfigurations that are cause for the most concern.

On the Cloud user side, it’s often misconfiguring the provider’s respective “user manager” and not using “least privilege” methodology that enables malicious insiders to maximize damage. Especially when an employee/contractor exits the company (regardless of terms) their respective Cloud access should be disabled immediately. In the event of a termination, the account should be disabled presumptively.

Also from the Cloud user side the most common “accidental” insider threat that occurs is the permanent deletion of data. This goes back to the importance of configuring the “user manager” and also the need of incorporating Cloud data points into the regular back up routine.

LIFARS: What are the strategies we can take to protect the security of our private information in the cloud?

Nicole: Only store encrypted data in the cloud and use an encryption product independent of the Cloud storage provider.

Associate an email address with the Cloud account that is different than one being used for every day email communication or is posted in a public profile. The same methodology should also be used in selecting a “back up” email address to associate with the Cloud account.

Only select questions for the “password recovery process” where the answers are not easily guessed or can be ascertained with online research

LIFARS: How can we improve cloud security across an organization by security training? Is there any security training program you suggest for cloud security knowledge?

Nicole: Before we can even discuss, all Cloud storage users need to read their respective provider’s “User Agreement” so they have a clear understanding of who is responsible for maintaining the integrity/security of their Cloud account and stored data in addition to log and data retention rates. Especially with business class users, it’s imperative to update “Incident Response Plans” to include the Cloud and know ahead of time who to contact at the Cloud storage provider and how to contact them ahead of time.

As far as training programs, I would reference the Cloud Security Alliance as the most comprehensive resource for Cloud related educational materials.