It’s no surprise that the cloud has forever changed business as we know it. The ability to now access corporate information from virtually anywhere has created a huge difference between how we once managed our daily work lives and how we manage them today. However, with all the benefits cloud has to offer, there are also the inherent risks associated with effectively managing digital assets.
For most companies, the most challenging aspect of the cloud seems to be defining the processes needed to first identify the risks and then the path to mitigating those risks through actionable policies and tools. Creating a more secure cloud environment can be broken into three distinct categories (at least for this article).
Step 1. Identifying the Risks
This is probably the most logical place for most companies to start: Identifying where the most risks reside. However, in many cases, there is always more than meets the eye. First, companies need to look at the risks inherent in the essence of cloud computing: the concept of Bring-Your-Own-Device and what impact that can potentially have on an organization.
For instance, unmanaged devices can present immediate control gaps within an organization—the potential for insider data leaks—that can allow data to be downloaded or moved to unknown/unsanctioned application and storage locations. Furthermore, there are also issues when enabling flexible and remote workforce scenarios that require native application use—all of which must be controlled and monitored for data exfiltration.
Then, of course, there are compliance violations. Under several regulatory mandates, such as the Gramm-Leach-Bliley Act (GLBA), New York State’s Department of Financial Services (NYDFS) Cybersecurity Regulation, and HIPAA (Health Insurance Portability and Accountability Act of 1996), to name a few, organizations must protect Non-Public Information (NPI), Protected Health Information (PHI), or Personally Identifiable Information (PII) from unauthorized use. This means that to control access to, and protect sensitive data, its location must be known or discoverable and manageable.
Potential exposure from breaches associated with cloud service providers. Though this may sound odd, there are still many companies that think their data is safe and being looked after by a large, third-party provider. Now, though most enterprise-class cloud service providers have excellent security, an organization must also come to realize that these big providers are also targets and could become compromised.
There is an element of rogue IT that must be addressed. Aside from sanctioned vendors that organizations may choose to do business with, what about the unsanctioned ones? Every day, we find our customers’ employees using unsanctioned cloud applications. For instance, in a recent audit we detected more than 700 apps in use by the employees of one of our customers. More so, in this particular case, there was nothing nefarious. It literally came down to unknown terms and conditions that may be susceptible to leaking sensitive data.
Step 2. New Rules and Processes
So once the gaps are identified, what next? Simply put, the need to implement security best practices, including policies, standards, guidance, and process, becomes paramount. It’s this governance that will create and monitor the rules of engagement for the company and its employees to ensure that everyone is aware of how important security is, and how to live by the rules every day.
Step 3. A New Age of Technology
Then there is the technology itself that needs to be addressed. This can take shape through a multitude of ways. For instance, the organization can leverage Cloud Access Security Broker (CASB), which is required to centralize access, manage compliance, and deliver the actual data security for the cloud. Then, of course, there is the implementation of a key management platform to centralize key generation, rotation, and data destruction within the cloud itself.
Finally, there are the most critical management layers—the Cloud Identity Governance strategy—required to incorporate Federated SSO (FSSO), Identity Provider (IdP), Privileged Access Management (PAM), and Access Governance into business-critical cloud applications. And then the things that actually manage threat events for cloud services: Centralized Security Information and Event Management (SIEM) and logging and User and Entity Behavior Analytics (UEBA).
In all, this isn’t the easiest path to take for any organization regardless of size or resources. However, the lesson here is that it still needs to be done as the threats are very real, with lasting consequences. If it seems complicated, that’s okay—there are companies such as ours that help the biggest of enterprises secure their respective clouds every day. The most important thing here is to make a choice as soon as possible to implement real cloud security before the worst-case scenario happens.