Steps for protecting customer data in the cloud
Data breaches remain a top concern of organizations when it comes to data in the cloud. Sensitive data can be disclosed by targeted attack, human error, vulnerabilities or poor security practices.
We’ve seen several examples of cloud data breaches lately. For example, as is widely known, on July 13 of this year the personal data of more than six million Verizon customers was accidentally made public, potentially revealing the risks of human error in the cloud. An employee at NICE Systems – a third-party service provider – misconfigured security settings, revealing a cloud-based data repository containing sensitive customer information to the public from Amazon’s S3 storage service. Such incidents could easily occur in other Amazon services such as Elastic Cloud Compute.
So how does an organization prevent risks like these when working with the cloud?
First, it’s important to understand the different types of cloud options available.
There are different alternatives available for working with the cloud, and each one offers varying levels of flexibility, control and management. They also offer different deployment types and diverse data security considerations. Two of the more common and early models are Enterprise File Sync and Share (EFSS) and Infrastructure as a Service (IaaS).
With EFSS, there are more than 140 cloud providers offering a variety of features and benefits. Many enterprises hesitate to adapt these technologies, however, because they lose control over the security of their data.
When regards to IaaS, Amazon Web Services and Microsoft Azure are the market dominators. Cloud Services Providers (CSPs) like Amazon Web Services have a shared responsibility model, when it comes to data security.
With either model chosen, ultimately, companies are responsible for the security of their customers’ data within the cloud.
Once a cloud approach has been determined, enterprises need to address a variety of security-related issues to protect their data. They should consider completing a cloud security checklist which includes determining which data they need to, or wish to protect, and establishing if they need different controls for those.
Businesses should also evaluate their data security model to determine if they have one solution in place or several, and, if more than one, if they work together well in the cloud. And, it’s critical that executives are on board with what’s needed and that they are champions of data security for the organization – or efforts may be destined to fail.
To reduce data security risks -- and support compliance regulations -- organizations need to use an encryption and key management solution. Encryption is a necessity, and it’s particularly important to ensure encryption keys are not controlled by anyone outside of the enterprise.
With encryption, data is protected not only from outside hackers but also from inside risks, as even if it is breached or leaked, information is turned into an unbreakable code which can only be “cracked” if you have the key to decode it. Users who do not have access to the key will not have the ability to read any of the data. That’s why it’s also critically important to make sure that your encryption and key management does not provide access or control of your keys to anyone outside of your organization.
Businesses should also establish and apply identity and access control policies and procedures to make sure that only those who truly need to have access to any given data or workloads have it. In addition, it’s key for enterprises to track their data, and train all users on data security policies to ensure data remains protected.
The bottom line is that regardless of cloud approach, organizations can’t defer the responsibility to protect their data. Ultimately, they are responsible for protecting their own information and workloads in the cloud. If they don’t, it’s their business that gets the fines and lawsuits, suffers the reputation blow and ultimately loses customers. Companies are responsible for the trust customers put in them -- nobody else.