This week the U.S. Open heads to the Pacific Northwest for the very first time. Chambers Bay Golf Course in Washington State will play host. Anyone familiar with this course knows “there aren’t traditional golf hazards, like water and trees, but there is trouble everywhere at Chambers Bay” says one sports blogger.
It’s a similar scenario for IT and security pros responsible for management of their organization’s cloud usage. Cloud apps are ubiquitous and the associated IT challenges are many. More than half of respondents to a Ponemon study say their organization currently transfers sensitive or confidential data to the cloud. Still, more than half of IT professionals admit not having a complete picture of where their sensitive data lives.
In the spirit of U.S. Open golf tournament and the 18 tricky holes at Chambers Bay, Perspecsys will caddy for a full round with tips and tricks to avoid the hazards – the privacy, compliance and security hazards of cloud computing – and guide you confidently through the course to realize the full benefits enterprise cloud adoption can offer.
The front nine: Hazards
1. Users don’t realize the risks: Business users see cloud apps as productivity enhancers. Meanwhile, IT doesn’t know how corporate data is being used in the cloud. Business users are signing up for cloud services and not following formal IT and Security policies.
2. Cloudy terms and conditions: The policies and standards your organization adheres to regarding the treatment of data are likely not shared by the cloud service provider. Yet, when users sign up for cloud apps, they agree to the associated terms and conditions.
3. Virtual exploits: Virtualization technology is a core component of a SaaS cloud service provider’s infrastructure. Virtualization carries its own threats and risks. As cloud users, don’t be left in the dark on what virtualization products your CSP is using and take steps to mitigate risks if required.
4. Authentication and access control measures: A Perspecsys study shows almost 31 percent of respondents do not allow employees to access corporate data in cloud apps from their mobile devices. Simply blocking access will not be a viable option for long, so it’s time to be proactive and put long trusted security measures in place to make sure that no matter where your data is or on what device it resides, it is protected.
5. Cloud data control challenges: The cloud’s compelling efficiency and cost benefits are running into serious data compliance and privacy concerns that are inhibiting its widespread adoption. Adopting a public SaaS cloud equates to handing your data – even the sensitive and regulated data – over and organizations are grappling with issues created when they relinquish control of their sensitive data to cloud service providers.
6. Data residency restrictions: Companies frequently find that certain types of customer information needs to be kept within a defined geographic jurisdiction, making the use of cloud solutions based in other parts of the world extremely difficult. Increasingly strict residency requirements, being put in place as a result of surveillance and data privacy concerns, are a significant challenge to cloud adoption.
7. Data privacy responsibilities: Business data often needs to be guarded and protected more stringently than non-sensitive data. The enterprise is responsible for any breaches to data, whether they store it onsite or in the system of a CSP, and must be able ensure strict security measures are in place regardless of where the data resides.
8. Industry and regulation compliance: Organizations often have access to and are responsible for data that is highly regulated and restricted. Many industry-specific regulations such as GLBA, CJIS, ITAR and PCI DSS, require an enterprise to follow defined standards to safeguard private and business data and to comply with applicable laws.
9. B2B Contractual Clauses: Businesses providing services for other businesses are increasingly seeing contractual clauses requiring business data that is maintained by the service provider to be treated in certain ways. For example, if business data is placed in 3rd party cloud systems, additional safeguards need to be put in place to ensure it is adequately protected.
The back nine: Winning tactics
1. Openness: Just as the U.S. Open is open to any golfer, IT needs to look for conditions related to openness, such as adherence to industry standards and the ability of security solutions to integrate with one another so that trust in the cloud is established.
2. Get a grip on your data: With information flowing more freely than ever in today’s digital economy, tracking sensitive data becomes an increasingly difficult task. Get familiar with data-centric security tools that work in and outside the company’s walls, in particular, cloud data encryption and tokenization.
3. Test: “Testing for network, logical and architectural security risks will be a very important strategy,” says John Overbaugh of Caliber Security Partners. “Security testing in the cloud does change things, but it’s not impossible,” he continues. “It’s important to plan ahead, to communicate the changes in your test strategy, and to set appropriate expectations with your management. Above all, it is critical to communicate before and during your testing – primarily with your cloud provider, but also with your IT and security organizations.”
4. Back it up: Having backups of your data is always a good idea whether it is stored in the cloud or not.
5. Use more than one cloud service: A multi-cloud strategy minimizes the risk of widespread data loss or downtime due to a localized component failure in a cloud-computing environment. Develop a security platform that allows the business to implement consistent data protection policies across multiple cloud services, preferably one that does not involve complex key management or policy administration.
6. Educate employees on security: People, processes and technology all need to play critical roles in ensuring adequate safeguards are in place. Proactive steps can be taken to avoid costly mistakes.
7. Establish comprehensive data governance policies: Governance needs to be clearly established and policies need to be put in place to ensure compliance with internal and external data privacy mandates. Data should be classified based on sensitivity and the correct data security techniques need to be applied to each class of data.
8. Implement data security services: Consider offering security services such as “encryption-as-a-service” or “tokenization-as-a-service” to business units within the enterprise to enable compliant cloud use/adoption while protecting data being processed and stored in the cloud.
9. Do encryption right: Do not store encryption keys in the software where you store your data. IT teams need to keep physical ownership of encryption keys as well as vet the strength of the encryption techniques being used. And don’t forget data in-use. Data in use is, effectively, the data that has been loaded into a process and is in the memory of the program that is running. In general, this data is in the clear while being processed and is typically not protected by techniques such as the in-cloud based encryption provided by the cloud service provider. Make sure you own the entire encryption process of your sensitive and regulated data.