Keeping Data Safe in the Cloud – the Essential Checklist

Earlier this year a US software engineer hacked into a server holding the personal information of more than 100 million Capital One customers, in what was described by prosecutors as one of the biggest data thefts from a bank. It is potentially the most-feared scenario for many organisations: the hacker had gained access via a ‘misconfiguration’ of a firewall on a web application, allowing her to communicate with the server where Capital One stored its information. By Gordon Sockett, Content Programme Manager at Digital Transformation EXPO Europe.

  • 5 years ago Posted in

Protecting customer data is, quite rightly, a significant concern for companies: new research has found that 54% worry most about the security of payment information and 49% about customer information, largely due to data sensitivity and the need to comply with privacy regulations. You’d be forgiven for thinking a multi-billion-dollar firm like Capital One would be on top of things – but as cloud’s popularity increases and the pace at which the technology powering it develops, so does the risk to sensitive data and the methods required to protect it.
 
The best systems will prevent unauthorised access to data, protect it from unintended change, and make it easily accessible to those who actually need it. What follows is an essential checklist to help ensure your organisation does all of the above, and does it well.
 
1)     Educate all employees
Hackers are obviously very real threats to data security, but an organisation’s employees are often one of the main causes of data breaches – particularly for organisations that lack a security-first culture. According to Gemalto, nearly half of IT professionals are not confident they know all the cloud services used within their companies. It’s a worrying figure considering there’s so much to lose: 21% of files uploaded to cloud-based services are reported to contain sensitive data.
 
To effectively protect their data, organisations should educate employees and create accessible, comprehensive policies for compliance and data governance. Education should also extend beyond IT professional. Actively involving the entire company in security training and keeping them up-to-date on best practices is the best way to ensure employees are equally responsible for, and care about, data security. Training can include:
 
-       Dynamic sessions that cover the basics, answering questions like ‘what is cloud storage?’ and ‘what are my organisation’s standards in reporting incidents?’
-       Creating a simple response protocol document that details the steps employees can take in different threat scenarios provides clarity and shares responsibility
-       Unannounced security tests that allow organisations to monitor the success and of employee training on data security, and adapt alongside it.
 
2)     Gain awareness of the main threats
Cloud security is multidimensional, spanning physical (data centre) security, auditing, threat detection, vendor transparency, platform and network security, and legal compliance with industry-specific standards – to name just a handful. These security factors are largely organisation-specific. They depend on how a company uses cloud, whether the system is managed by a third party vendor, what information is stored within, and who has access – again, to name just a few.
 
Understanding which data is most important to the organisation, and assessing the threats tied to each, allows resources to be immediately directed to the most urgent security threats.
 
3)     Centralise and co-ordinate security efforts
Knowing who has access to all of the data, and enabling IT departments to centrally manage data protection solutions across the organisation, is key to improving cloud security and maintaining control of sensitive information. Cloud-based access control systems are effective in doing exactly this, as they provide centralised visibility and management without the complexity of physical access systems.
 
Remember: preventing – and responding to – security threats is a shared responsibility, rather than solely the role of the cloud service provider.
 
4)     Encryption, encryption, encryption
Encryption scrambles the content of any system, database or file, making it impossible to decipher without an encryption key. This is the front line of defense for any cloud system and is regarded as one of the most indomitable approaches to data security. Yet only 47% use encryption to secure sensitive data in the cloud, while 52% of IT professionals say their organisation controls the keys when data is encrypted in the cloud. In short, even those who encrypt their data are putting it risk if they don’t centrally secure and store their keys.
 
Encryption is something that most cloud service providers typically offer, in addition to storage and back-up. In turn, this means the service takes care of both encrypting files on organisational computers and storing them safely on the cloud: an example of zero-knowledge privacy with which no-one (including the providers themselves) can access the files.
 
Equally vital is maintaining control of encryption keys, storing them securely and separately from the encrypted data, and applying multi-stage authentication to control access to cloud-based business applications.
 
5)     Pay attention to passwords
Security also resides in the user. No matter the level of cloud security in place, weak and hackable passwords equal data vulnerability. Encourage employees to use password generators and management tools to create strong passwords and stay on top of them.
 
6)     Apply multi-factor verification
Another must, is multi-factor verification to control access to cloud-based applications. Only half of IT professionals say their organisations use multi-factor authentication for employee access to the cloud – yet it’s one of the simplest ways to ensure data is only made available to employees with specific access rights.
 
7)     Ensure data is backed up
Loss of cloud data can be prevented by, well… backing it all up. This can be done on in-house servers, and protects data against equipment failure, hacking, catastrophe, or any of the above. Cloud data backup not only helps to bolster a company’s data protection strategy, but also avoids increasing the workload of the IT team who, ultimately, are the ones leading the charge in ensuring data remains safe in the cloud.

By Barry O'Donnelll, Chief Operating Officer at TSG.
By Dr. Sven Krasser, Senior Vice President and Chief Scientist, CrowdStrike.
By Gareth Beanland, Infinidat.
By Nick Heudecker, Senior Director at Cribl.
By Stuart Green, Cloud Security Architect at Check Point Software Technologies.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Damien Brophy, Vice President EMEA at ThoughtSpot.