Click to learn more about author Trevor Bidle.
While “cloud” has been a top buzzword in tech for many years in a row now, it seems to be warranted. The benefits and possibilities of the cloud appear to be endless, and many major tech leaders gladly sing its praises. The late Steve Jobs spoke highly of the cloud in 1997 when he said “I don’t need a hard disk in my computer if I can get to the server faster,” and Marc Benioff, founder and CEO of Salesforce, said that “simply put, cloud computing is a better way to run your business.” And, if you pay attention to what many pundits, industry analysts, and cloud services providers say, everything is better in the cloud: disaster recovery, business acceleration, speed to market, collaboration, innovation…everything.
It’s easy to see why many are so pro-cloud. The ability to scale resources up and down to meet demand instantaneously makes the cloud extremely attractive, not to mention the fact that it enables easier collaboration across different geographical locations, increases the ease of business mobility, and greatly reduces costs. These factors (and many more) create limitless opportunities for businesses to then give to their customers and has led to the average organization generating more than 3.2 billion unique transactions in cloud services each month.
But with more cloud usage comes more security threats. The McAfee 2019 Cloud Adoption and Risk Report states that the average enterprise organization experiences 31.3 cloud-related security threats each month. The same report also notes that the average organization experiences 12.2 incidents each month of an unauthorized third party using stolen account credentials to access corporate data stored in the cloud. They also experience 14.8 insider threat incidents each month (of which 94.3 percent experience at least one per month on average), and privileged user threats occur monthly at 58.2 percent of organizations (an average of 4.3 each month).
This is due to the fact that the increase of cloud usage brings about with it the rise of sensitive data in the cloud. The previously mentioned report also shows that nearly a quarter of all data stored on the cloud is sensitive and approximately 83 percent of organizations worldwide store sensitive data in the cloud.
These statistics clearly display that cloud security should be a top priority for any business, and while most cloud services are more secure than most on-premises setups, it is crucial to identify how to maintain and strengthen that security.
The first step is to identify and inform your team about cloud security risk factors. The simple answer is that with increased cloud usage comes the opportunity for more cloud threats, but other factors also contribute to this increased risk. According to the McAfee report, these include:
- Collaboration: Sharing data on the cloud is a common practice in businesses, with 48 percent of all files in the cloud being shared at some point.
- Misconfigurations: With 65 percent of organizations using some form of Infrastructure-as-a-Service (IaaS) and 52 percent using a form of Platform-as-a-Service (PaaS), it is worrying that the typical organization has an average of 2,269 misconfiguration incidents per month.
- Too much trust: In the report, 69 percent of respondents said that they trusted their cloud service providers (CSPs) to keep their data secure, and a further 12 percent claimed their CSPs are solely responsible for securing their data. The truth is cloud security is a shared responsibility between customers and their CSPs.
- Inadequate CSP security: While CSPs tend to invest in leading-edge security, not all use comprehensive security. Fewer than one in 10 CSPs encrypt data stored at rest, and only 19.2 percent support multi-factor authentication.
So how do you make your cloud security stronger? Well, there’s no one-stop-quick-fix, but there are several things you can do to mitigate cloud security risks. These include audit IaaS and PaaS configurations; understand which cloud services hold the majority of your sensitive data; extend data loss prevention (DLP) policies; and lock down data sharing.
But the Number One way to alleviate some of these risks is to ensure that you are aligning with the correct CSP. When locating and choosing the CSP to work with, you should check that they are audited annually to ensure that they are meeting the requirements listed in the SAE 18 and SOC 1, Type 2 and have completed their SOC 2, Type 1 attestation. These American auditing standards provide customers with third-party assurance that the provider has the appropriate internal controls and operational procedures in place to protect customer data. An added bonus would be if the CSP is also audited for HIPAA compliance and meets PCI’s standard secure data hosting and processing practices for cardholder data.
Additionally, the CSP should conduct regular employee IT security training and have a vendor due diligence program. You should also make sure that you inquire about their managed security services offerings, as well as any data protection services, along with the service level agreements that accompany those services.
While cloud computing is a better way to run your business, as stated by Benioff, following these steps will ensure that data security is key, even in the cloud. Utilizing the cloud should not mean that your guard is ever down, as cybercriminals don’t see the cloud as a dead-end, but a wall… that can be climbed. So put some extra barbwire at the top of that wall, with some spotlights and guard dogs.