Cloud storage is readily-accessible and convenient technology that gives access to data anywhere. With that convenience, however, comes risk. Companies who utilize the cloud to store their data need to make sure they are doing all they can to secure it. And cloud data security isn’t just only about technology. It’s also about managing the privacy, availability and integrity of data.
We’ve all seen the recent stories about security breaches and stolen data. Most recently, several high-profile celebrities had private photos from their iCloud accounts surface online for public consumption. The photos were obtained by hackers who accessed the celebrities’ accounts without their knowledge.
Apple blamed the breach on a targeted attack on user names, passwords, and security questions, which essentially means that the hackers were looking for specific users’ accounts and were able to determine access info for those accounts.
So what should companies do to protect their data in the cloud?
Unfortunately, we do not see organizations doing nearly enough to keep their data secure. Here are some things you can do to help insure the security of your cloud data.
Organizations that store or are looking to store data in the cloud need to do a cloud data security assessment to understand the types of internal risks they may be facing when contracting with a cloud service provider. This risk assessment should include the following:
Identify information stored in the cloud
Catalog and prioritize vulnerabilities, assign remediation controls and ownership
Assess the likelihood, impact, and risk levels for each vulnerability
The results of the risk assessment should dictate the internal safeguards that need to be implemented that will fill in the gaps in what the provider is doing. Not many companies are doing true risk assessments these days in order to understand how their information is being safeguarded.
The safest way to ensure the security of your data in the cloud is to encrypt it. However, for this to be truly effective, it needs to be encrypted at the file level which means before it leaves your company and heads to the cloud. This puts the responsibility and workload back on the customer and away from the provider. Many companies are only seeking whole disk encryption from their provider which is very difficult to achieve in shared cloud platforms. In addition, the vendor holds the encryption key and has access to the data anyway.
For many cloud systems, the security technology is fairly tight and protects data adequately, but the weak link lies often with the people who have access to those systems. In other words, things like weak passwords are often the cause of a security breach in an otherwise secure system. When Adobe was hacked in 2013, almost 2 million of the passwords uncovered were simply “123456”. By educating employees on how to secure the access to the data more intelligently, companies can help protect their data online.
Audit Your Employees
Employees often keep their own personal data in the cloud using consumer solutions such as Dropbox, OneDrive, Google Drive, etc.. Companies might not really have an understanding of how many of those employees are utilizing those personal cloud accounts to transfer company data. They might have a project folder they need access to over a weekend or on vacation and so they store it on one of those solutions for access. Companies need to know where their data is leaving their environment and make sure that employees clearly understand that they should not transfer company data into personal cloud accounts.
Evaluate types of Data
Companies need to determine the level of security that they require for different types of data. For data that is under strict compliance regulations or scrutiny, it’s probably not a good idea to store it out on the cloud. Even if you perform a rigorous Risk Assessment, you really can’t guarantee with 100% certainty what that 3rd Party vendor is doing.
Security by Obscurity
Another approach that not many businesses consider is to choose a less popular cloud platform technology or provider in the hope that they would be a much smaller target and less likely to be attacked. There is some merit to this theory, but as in the example of the celebrity photos, it won’t protect you if someone specifically wants to target your company to do harm.
We’d like to thank Kelley Ealy, Chief Information Security Officer at SIS for helping us to develop the material for this post.
What are your thoughts on securing data in the cloud?