Best Practice

Cloud Computing Best Practices

Cloud Computing Best Practices

We've provided some general information below about cloud computing. At RIT, information handling requirements (including the use of non-RIT servers for storage) are articulated in the Information Access and Protection Standard. Refer to the standard for more information about storage restrictions based on information classification.

There are certainly some benefits to cloud computing, but the practice of saving content on the Internet is facing more scrutiny than ever. While there is no silver bullet solution to securing your cloud service, understanding how you can protect yourself is the best way to keep your information private.

  • Keep up to date with the latest cloud security developments. Because cloud computing is constantly evolving and adapting to new security threats, you need to upgrade your security as often as possible. As this article states, “hackers target vulnerable operating systems that don't have properly applied patches.”
  • Add file caching capability to your computer. Consider local caching of your files on your computer as a backup for your cloud service. Cloud computing is perfect for sharing team files, but the network can go down and bring project progress to a standstill. Having your files to work off of, even if they aren’t perfectly synced, is an essential backup if you want to continue working. This is also convenient if you encounter a security breach, because it allows you to find any changes or deletions in your files.
  • Don’t just rely on cloud computing. If it’s not maintained by you, there is never a guarantee that your information will be there. When Megaupload was taken down by the FBI, many users found that they lost all of their own data as part of that effort to stop the distribution of copyrighted materials. Cloud Service Providers (CSPs) sometimes recommend that you store your data with several cloud services, which is more costly due to subscription costs and is less effective than hosting your own backup system. Most CSPs save your information in one place, so you would be buying multiple services that depend upon a single source.
  • Know which programs or services you use that are supported by cloud service providers. This allows you to keep better track of what information you could potentially lose or have stolen in the event of a CSP security breach. This knowledge can be critical to protecting your private information; if you’re not aware of what is available, you may become an unsuspecting victim.
  • Be aware that your system can easily be transferred to another server in the CSP’s network. Although this is a major advantage of cloud computing, if you deal with sensitive or classified information it is better at this point in cloud service development to work exclusively with more secure in-house systems.
  • Keep up to date on any infrastructure or policy changes for your CSP. Having a good relationship with your CSP is important, to ensure that you know when they change how they handle and secure your information. Although you may not be able to access security information in the same way you could on an internal system, understanding how your information is saved and monitored could quickly alert you to a problem.
  • Compare encryption standards between various CSP’s. Look for an Advanced Encryption Standard (AES) since it’s the best standard currently available to secure your data. An SAS 70 Type II datacenter is also widely acknowledged as a very secure physical housing of information. Having access to a CSP with both of these systems will help secure your information a bit better.

 

To learn more about cloud computing:

 

Safe Online Shopping & Banking

Safe Online Shopping & Banking

Use a Secure Computer

Make sure your computer meets the RIT Desktop & Portable Computer Standard before getting online. In addition to up-to-date anti-virus, make sure that your operating system and your web browser have the latest security patches installed.

Don't use public computers to send private information over the Internet. You cannot be sure what security measures are in place and other people may have altered settings or installed malware without your knowledge.

Research the Company/Website

Investigate any bank or retailer you are considering using. How trustworthy are they?

Use the FDIC Bank Find page to make sure the bank is insured by the FDIC.

Check the company's privacy policy. Some companies may sell your e-mail address and/or other contact information to third parties, leading to more spam in your inbox (if there is no privacy policy, you're better off avoiding that site).

Plug the website name into a search engine. What kinds of consumer reviews are returned?

If you're shopping at an auction site, check out the seller's feedback. Have other people had good experiences with them? What forms of payment will they accept?

Research the Product/Service

Learn more about the product or service you are considering. Are you getting exactly what you want? Look for fine print-are there hidden fees or terms?

Are the prices too good to be true? Insane deals are sometimes used to disguise malicious links. They may also be an indication that the product is actually a counterfeit.

What is the seller's return/exchange policy? Do they cover damaged goods?

What is the bank's policy on fraud? How much protection do they offer? Will they reimburse fraudulent transactions?

What about shipping costs? Is there a minimum purchase amount? Tip: If you're making several purchases, try to combine them on the same order when possible. Not only does it reduce the number of transactions you have to make, but you might save a bundle on shipping costs too!

Use Strong Passwords

Use a strong, unique password or pass phrase where allowed. Most online banks (and some retail websites) offer an additional layer of security such as:

Using an on-screen keyboard to enter in passwords (this protects against keyloggers).

Requiring an additional password or personal identification number.

Requiring you to answer a challenge-response question each time you login (e.g., what is your grandmother's maiden name?).

Smart cards or tokens that generate a single-use password (meaning you cannot access your account without this physical device).

Select an online banking service that uses one of the above methods or some other type of additional security protection.

Make Sure the Website Uses Encryption

When you're ready to submit your information, look for the following indicators that the website is secure:

The address bar should begin with either shttp or https (not just "http") and there must be a padlock in your web browser (the location varies by browser, it usually appears in the address bar or the status bar at the bottom).

Never submit your login information by e-mail. Scammers go to great lengths to make e-mails appear genuine, but no legitimate bank or retailer will ever ask you to submit private information by e-mail.

Use a Secure Payment Method

When shopping through an online retailer or through an auction site, make sure you use a secure payment method.

Credit cards are one of the safer options. Federal law limits your liability in the event of credit card fraud to only $50. MasterCard and Visa also offer zero liability for most debit card transactions as well.

See if your bank or credit card issuer offers one-time use or "virtual" card numbers. These are card numbers that you can sign up for and activate for a limited time period. They still link to your regular card/account, however the number is completely different. This means your active account number doesn't have to be transmitted over the Internet at all.

Never give out a bank account number to anyone, and be wary of anyone who insists upon cash or wire transfer only.

Monitor Your Accounts

Keep track of all your purchases/account history from start to finish and beyond.

Print out all your orders and receipts, as well as e-mail confirmations and product descriptions. If possible, request that your bank mail you a monthly account statement and compare it to your online statements.

Follow up your purchases by closely watching your bank account and/or credit card statements to monitor for any unauthorized transactions.

You may also want to check your credit report annually (check for free at www.annualcreditreport.com).

Problems and Complaints

Online Banking Complaints

There are several different organizations that regulate financial institutions in the United States. The links below provide additional information on safe online banking as well as instructions for filing a complaint:

FDIC - Safe Internet Banking
http://www.fdic.gov/bank/individual/online/safe.html

U.S. Securities and Exchange Commission - Online Brokerage Accounts: What You Can Do to Safeguard Your Money and Your Personal Information
http://www.sec.gov/investor/pubs/onlinebrokerage.htm

New York Fed - Tips for Safe Banking Over the Internet
http://www.newyorkfed.org/education/addpub/safeinternet.pdf

Online Shopping Complaints

If you think you have been a victim of online shopping fraud and/or cannot resolve a problem with the seller, contact the following agencies:

Better Business Bureau
https://odr.bbb.org/odrweb/public/GetStarted.aspx

Additional Links

Online Shopping Tips

http://www.dhses.ny.gov/ocs/

http://www.consumer.ftc.gov/blog/happy-holiday-shopping

http://www.staysafeonline.org/stay-safe-online/protect-your-personal-information/online-shopping

http://www.safeshopping.org

Online Banking

FDIC Bank Find:
http://www2.fdic.gov/idasp/main_bankfind.asp

Online Safety

Online Safety

Everyone connected to the Internet is a potential target. Use of anti-virus and firewall software is critical in protecting your computer online; however, simply protecting your computer is not enough. 

Web Browsers

Cyber criminals often target vulnerabilities in web browsers. Because Internet Explorer is the web browser used by most people, it has become a primary target. Using a different browser can reduce your risk while on the web. The table below lists alternative browsers:

Browser

Operating System

License

Firefox

Mac, Windows, Linux

Free (open source)

Chrome

Mac, Windows, Linux

Free

Opera

Mac, Windows, Linux

Free

Safari

Mac OS X

Free

Configure Settings

Changing the default security settings can help protect you while browsing.  Learn more here.

Update Regularly

It is important to keep your browser up-to-date on security patches. This can typically be done from within the browser, or directly from the vendor’s website. Check for updates at least monthly.

Note: If you use Internet Explorer with RIT Oracle Applications, you may not be able to use the newest versions of Internet Explorer are not certified for compatibility with Oracle at this time.

Use Limited Account Privileges

Learn more here.

Be Smart With What you Do Online

View our pages on Social Networking and Online Banking/Shopping.  Also look for posts on our blog about identity theft, online banking, and scams. 

Wireless Networking

Wireless Networking

Wireless logo

Wireless networks are generally considered to be less secure than wired networks; however, with proper configuration and encryption enabled, they can provide more than adequate security for most users. Read our Accessing Wireless Networks Safely Brochure to learn more and better protect your privacy.

Wireless at RIT

RIT offers three different wireless networks across campus: an open public network, an encrypted WPA network, and an encrypted WPA2 network. We strongly recommend using the WPA2 or WPA network at all times, as they provide much better quality and security for users. WPA2 is the preferred protocol, as it offers the best security.

The WPA and WPA2 network signals are not broadcast publicly, so your computer will not automatically detect them. ITS provides instructions on How to Access RIT’s WPA Wireless Network.

More information on wireless networking at RIT can be found on the ITS Wireless Computing at RIT page.

Residential Networking

Please note that the use of wireless network routers is not permitted in residential areas on campus. Use of wired routers is acceptable; however, you should read and comply with Resnet’s guide to Using a Router on the RIT Network prior to setup.

Wireless at Home 

Without a secure configuration, your wireless network is open to anyone within range of the access point (typically anywhere from 100-1000 feet). Anyone in your area can "piggyback" on your connection and use your Internet, which can lead to a number of problems such as service violations, bandwidth shortages, abuse, activity monitoring, or direct attacks to your computer.

BEST PRACTICES FOR HOME WIRELESS NETWORKS
  • Change Your Default SSID and Administrator Password (See About.com for overview, but process varies by manufacturer)
  • Disable SSID Broadcasting 
  • Enable WPA Encryption
  • Enable MAC Address Filtering (See About.com for overview, but process varies by manufacturer)
  • Keep Your Access Point Software Up-To-Date with Patches
  • Use Your Router's Built-in Firewall
  • Use File Sharing with Caution

Public Wireless Networks

Many public access points are not secured, and the traffic they carry is not encrypted. This puts your sensitive communications and transactions at risk. Because your connection is being transmitted "in the clear," malicious users can use sniffing tools, "shoulder surfing," or other methods to obtain information including passwords, bank account numbers, unauthorized computer access, and credit card numbers quite easily.

BEST PRACTICES FOR PUBLIC WIRELESS NETWORKS
  • Avoiding Sending Sensitive Information (such as online banking, shopping, etc..) over a Wireless Network
  • Stay on Secure Websites (look for HTTPS and lock icon)
  • Encrypt Your Traffic
  • Connect Using VPN (Virtual Private Networking)
  • Disable File Sharing
  • Be Aware of Your Surroundings
 

Virtual Private Networks

Virtual Private Networks

A Virtual Private Network (VPN) is a technology that allows for secure transmissions across the Internet between two networks by using a secure "virtual tunnel." Without using VPN, data (including passwords and confidential information) transmitted via the Internet is exposed and can be intercepted by third parties.

VPN should always be used to access RIT resources that are normally unavailable to users outside of the wired Institute network (such as department-specific services and network shares). This means that unless you are at a wired machine on campus, you must connect to the Institute network using VPN if you wish to access any private intranet resources. Your supervisor will notify you if the systems you work with require VPN.

VPN must be used when accessing RIT Confidential information on the Institute network from a remote location.

Visit the ITS VPN site to download the VPN software and find instructions and additional documentation.

 

Pages

Subscribe to RSS - Best Practice