Protecting data in the cloud: Best practices and effective tools
How do we keep our data safe if it’s in the cloud and out of our physical control? In this article, Sekhar Sarukkai goes over several common threats to your data security and explains the different ways that companies can protect their data.
Cloud computing is the next frontier for cybersecurity. However, the average organization is often times unprepared to protect itself against the myriad of security risks the cloud poses. With the incredible growth of cloud services and the rise of new threats, proper cloud security is needed more than ever before.
The cloud service market is still expanding at a formidable rate. On average, companies employed 1427 cloud services in 2016, an increase of 23.7 percent from the previous year. Clearly, the cloud is becoming an essential part of doing business, but with great power comes great responsibility.
This responsibility involves properly protecting the data of both organizations and their customers. It is estimated that 18 percent of the data in the cloud includes some form of personally identifiable information (PII), intellectual property, or other sensitive information. This is made worse by the fact that organizations face 23 cloud security threats per month, 18.4 percent increase from last year.
External attacks, such ransomware infections and brute force attacks, often make the news, but insider threats are becoming increasingly relevant. Part of this risk relates to Shadow IT, which refers to employees using unauthorized cloud services without the knowledge or approval of their employer’s IT department. In fact, organizations are only aware of 10% of cloud service usage, the remaining 90% is Shadow IT.
Using unapproved cloud services may not seem like a huge risk, but Shadow IT poses a risk because individual employees rarely apply the proper scrutiny when using new cloud services. On the other hand, IT security departments weigh the security risks and capabilities of the cloud service before approving it for company-wide use.
Shadow IT and insider threats in general may seem like a formidable roadblock for cloud adoption, but organizations simply need to apply effective cloud governance strategies to use the cloud’s full potential without any data vulnerabilities.
The foundation of good cloud security is knowing what services are being used by employees. This can be done through monitoring the services applied throughout the organization, and would allow for the creation of an effective plan to secure their usage. IT security also needs to understand the security capabilities of each cloud application, including encryption procedures, user data security, and multi-factor authentication availability. Visibility is an essential first step to finding out what services are being used within the company, and applying the proper vetting procedures to make sure that these cloud products are secure.
With the rapid growth of cloud service usage, organizations have to find new ways to comply with regulations, such as HIPAA-HITECH, PCI-DSS, and EU-GDPR. Enterprises typically used data loss prevention (DLP) tools to prevent sensitive data from falling in the wrong hands and stay compliant with internal and external policies. But that was when hardware, software, and data all resided on-premises. Cloud DLP demands a new approach. When applying DLP to the cloud, companies have to make sure that the same set of policies protecting their on-premises data are also enforced to data in the cloud. This can be done by:
- Inventorying existing policies and defining any new policies that may be unique to the cloud.
- Understanding what kind of data is uploaded to the cloud
- Discovering who has access to sensitive data, and with whom that data is being shared or collaborated on.
- Preventing the sharing of sensitive data with unapproved third parties
- Avoiding uploads of high value information to the cloud
- Applying a standard set DLP policies across all cloud services to ensure that no policy enforcement gaps exist between different cloud services
Billions of events occur within the cloud every day. Although most will be harmless, a small fraction of anomalies may require additional attention. For example, if one user logs in from two different locations over a short period of time, this event should be flagged as an anomaly and investigated further, as this may indicate a compromised account. Machine learning is essential to this because it is the only way to analyze the massive amount of data in the cloud. Organizations should combine machine learning with user behavior analytics (UBA) to sift through the billions of events in order to accurately detect the needle in a haystack.
Data security includes a wide variety of methodologies, but two of the more commonly used forms are encryption and tokenization. As long as the decryption keys don’t fall into the wrong hands, encryption can be an effective means of securing data in the cloud.
Tokenization is another form of obfuscating data. Tokenization creates a random token value for plain text and stores the mapping locally. With this system in place, sensitive data does not leave the organization but it can de-tokenized and leaked if the token vault is every breached. Traditionally, tokenization has been widely used to protect payment card data and other forms of structured data. However, tokenization isn’t well suited for unstructured data, such as word document. In this case, encryption is the preferred method.
While most enterprise-ready cloud services provide some form of encryption, in most of these cases, the cloud service provider (CSP) retains access to the encryption key. This can be problematic if a rogue CSP employee accesses the keys, or if the CSP is faced with a blind government subpoena to release its customer data. For this reason, it’s a best practice for enterprises to encrypt data in the cloud using enterprise-owned keys.
Cloud security tools
Aside from cloud best practices, hear are some tools that can provide you an additional level of security:
- Cloud firewall: Cloud firewall creates a formidable layer of security for low-level threats targeting data being transferred between the cloud and the network.
- Cloud data encryption: Data encryption makes sensitive information much more difficult for hackers to access by obfuscating the information into ciphertext.
- Secure Web Gateways: SWGs can provide IP/URL filtering to block access to risky Shadow IT cloud services (if the URL of the service is known) as one of their cloud security use-case.
- User access control: Not every user needs access to everything. User access control, also known as identity and access management solutions (IDM), provides users with access to only the cloud resources they need to do their jobs.
- CASB: Cloud Access Security Brokers provide security and activity monitoring for cloud services, and act as a control point for cloud applications.
Cloud computing’s meteoric rise has brought with it tremendous efficiency and improved productivity for its users, but it should not be used without the proper security considerations. By following the above best practices and suggestions, enterprises can enjoy the benefits of the cloud without putting their corporate data at risk.
GO ON, LET’S BE HAVING YA!