Mind the gap: cloud security best practices
- Published: Tuesday, 19 February 2019 09:36
Rich Campagna explores the security and compliance risks associated with data stored in – and accessible from – cloud applications, setting out best practices for assuring end-to-end protection.
With cloud adoption rapidly expanding across an immense range of industries, enterprises around the globe are eagerly embracing the benefits that can be gained from moving their mission-critical services to the public cloud.
Despite the fact that major cloud vendors invest heavily in security, with Microsoft alone dedicating more than $1 billion a year to internal security investments, companies need to understand the hidden risks associated with migrating to the cloud.
That entails senior company executives coming to grips with the security and compliance risks associated with data stored in – and accessible from – cloud applications, and who takes responsibility should the unthinkable occur.
Understanding the division of responsibility
All too often, an over-reliance on a cloud vendor’s native security features can result in a degree of complacency when it comes to the enterprise’s own security and compliance responsibilities. A careful examination of cloud service-level agreements should reveal where a vendor’s security commitments begin and end – and where the potential gaps in protection lie.
Primarily, cloud providers are strongly focused on protecting their services and the infrastructure that runs their services – including all hardware, software and networking – from attackers and unauthorised intruders. Typically, however, they will not inspect how the enterprise’s own employees use data that is stored in their cloud offerings. In other words, they are unlikely to monitor or look out for suspicious user activities on their platforms.
Should that result in sensitive or proprietary data being publicly exposed, the enterprise in question could find itself at the epicentre of a negative publicity storm. Similarly, there could be an unauthorised download of personally identifiable information to an employee’s personal mobile device that is subsequently lost or stolen. As such the enterprise will bear responsibility and is liable for the financial penalties that result from compliance failures.
Clearly, it’s vital for the enterprise to understand exactly what information is under its jurisdiction, taking appropriate measures to plug any security and compliance gaps.
Managing a shared responsibility model
As we’ve seen, responsibility for cloud security and compliance is shared between the enterprise and the cloud provider. For the enterprise, management of this shared responsibility model begins with a careful evaluation of a cloud app vendor’s responsibilities and, ideally, continues with the ongoing monitoring of the vendor’s security provisions.
Additionally, the enterprise will be responsible for the additional security tools that protects its data. This includes verifying user identity, protecting against credential theft and controlling access from risky contexts.
The enterprise’s responsibility also includes ensuring that cloud applications aren’t used as delivery mechanisms for malware or threats across the organization.
Preparing a rigorous security and compliance strategy
Many organizations are rapidly expanding their cloud footprint to include infrastructure services such as AWS, Google Cloud and Azure. As a result, dedicating time and resources to assure end-to-end security and compliance controls is becoming increasingly important. For the enterprise, that means taking advantage of the latest technologies to enforce access controls, limit sharing, protect against malware, and avoid data leakage. This includes everything from shadow IT discovery tools that evaluate apps by their native security and regulatory compliance features, to contextual access controls that govern data access by a user’s job function, geographic location and device type. In other words, alongside verifying that a cloud vendor is doing its job, enterprises will also need to keep up their end of the bargain. Building in-house processes and leveraging the appropriate security tools that help an organization safely reap the benefits of transitioning to the cloud.
Rich Campagna is CMO of Bitglass.