As cloud computing in the enterprise continues to deliver enormous efficiency and cost benefits, organisations are faced with significant challenges relating to privacy, security and the data protection and availability of critical business assets. These challenges are only growing as more and more enterprises adopt cloud-based IT. This growth has been highlighted by new research which polled 400 IT decision makers across the US and Europe. The survey found that, on average, 40% of all organisations’ applications are deployed in the cloud and this number is expected to grow by a further 30% in the next year.
The security stakes have therefore been raised and, as we have seen, hackers don’t discriminate. One of the largest beaches in 2016 occurred at the UK mobile operator Three when hackers successfully accessed its customer upgrade database simply by using an employee login. This occurred soon after another major breach at broadband provider TalkTalk where the details of more than 150,000 customers were stolen including the bank account details of around 15,000. The result was 95,000 lost subscribers, which cost the company approximately £60million.
Ownership of security within cloud activities must be prioritised as c-level executives, IT managers, CISOs and security professionals plan their cloud security strategies. Below are eight recommendations for ensuring cloud security. While these might seem a bit overwhelming, the alternative is even scarier – risky cloud use that leaves organisations vulnerable. With thorough planning and a new perspective on cloud security, your company’s data will be more secure in 2017.
Don’t put a bullseye on your data. Think about approaches that minimise the target value of an organisation’s data. Consider deploying services on virtual private clouds or internal/on-prem systems – entirely within a firewall, keeping information away from the spotlight of highly visible SaaS targets.
Protect corporate user identities or metadata. User identities are subject to hacking; enterprises must protect their corporate user identities since the loss of user identity is likely to result in loss of the user’s corporate data. Similarly, collecting evidence on the existence of data and its properties can pose a threat as much as losing the data itself. Some cloud storage solution providers do not adhere to this strategy and keep all of their customers’ metadata centralised in a public place. Thus, indirectly requesting enterprises to put their faith in them, which poses a significant risk to data confidentiality and integrity.
Avoid risks associated with SaaS providers generating and managing encryption keys. Encryption keys generated in un-encrypted servers can provide attackers with easy access enterprise data. Similarly, having your SaaS provider manage your keys increases your susceptibility of losing control of your data. While cloud services providers boast high security, including physical protection of hosting facilities, electronic surveillance and ISO 27001 certifications, many provide no protection against government data requests, blind subpoenas, or clandestine spying. Make sure you own user identities, metadata, and encryption keys to ensure the highest levels of data privacy.
Control your endpoints and offices. Use enterprise mobility management (EMM) tools to eliminate shadow IT and create secure productivity spaces within corporate-provided and BYOD devices. Encrypt all data at the source to ensure the greatest levels of access to file security.
Lock down external collaborator access. Implement strict policies to enforce what data can and cannot be uploaded in a file sharing environment, control what domains/emails can and cannot be emailed to, audit all accesses to ensure there are no anomalistic events. Data loss prevention (DLP) tools can be used to restrict access behaviours.
Improve password security. Set rigorous policies around password strength and refresh rates. Consider adding multi-factor authentication that will require the user to use a combination of something they know like a static password and something that they have such as a smart card or a token that generates a one-time password.
Know your data protection options. Understand the limitations of cloud services to recover data lost in the event of an attack, user error, etc., as part of your vendor’s SLAs. Ensure that you protect data residing in the cloud – i.e. back up your SaaS applications, as well as services and applications running on public cloud IaaS – as part of a comprehensive organisational strategy for backup/recovery of data in all locations (on-prem and in-cloud).
Investigate multi-cloud strategies. When organisations run applications on multiple cloud services rather than relying on a single vendor, they reduce the risk of a vendor’s service outage causing them significant issues and downtime. This is a critical component of a cloud strategy that enables organisations to preserve cloud optionality while strengthening their business continuity models.