Where does your cloud data live? 3 questions to ask

There’s a common thread behind every security pro’s cloud-related fears: control. Whether your company’s infrastructure revolves around a cloud-centric strategy or regulates cloud projects to a minor scale, the same security concerns dominate every interaction an organization could have with cloud services. Once your data is sent to a cloud provider, or an SaaS vendor using a cloud-hosted application, that company owns your information – on your end, good faith is all that can ensure its security.

Recently, a report from Blue Coat Systems’ Elastica Cloud Threat Labs examined data from 63 million documents stored in major cloud applications, such as Microsoft Office 365, Google Drive, Salesforce and Box. The team found that one in 10 of the documents contained sensitive data – such as personally identifiable information, source code, health and financial information, and more. The report also highlighted the top three security threats facing organizations that use cloud apps: data theft, data destruction and account takeovers.

Here’s the good news: in some ways, data security is a long process of learning from previous mistakes. Organizations using the cloud in any capacity can use the above findings as a guide for protecting data. To begin, ask the below questions at the start of any new cloud project.

1. Can my SaaS provider destroy sensitive data?

Sometimes, your cloud-based data must cease to exist. You might need to close an account, delete a file or format a database of outdated information. Often, SaaS vendors assure users they can manage data disposal, but their processes might not match your internal standards. The provider might also rely on another third-party IaaS or virtualization provider to help with the procedure, further complicating the matter. Yet, if your supposedly deleted data were eventually uncovered, your company would still be its owner – and would therefore, be at fault.

With account takeovers nearing the top of Blue Coat Systems’ threat list, this issue is particularly relevant. SaaS applications face an increased risk of account takeover attempts, as they often consist of self-contained platforms with on-premises monitoring and data management tools. Once an account is compromised, data can be automatically decrypted, as the intruder becomes an authorized user. Customers of such services are rarely made aware of such account takeover attempts until it’s too late to protect their data.

Always seek transparency from your SaaS partners about their methods for handling and disposing of data, and when possible, ask for guarantees. Even better, avoid sending sensitive data to a third party in the first place. To accomplish this, you’ll need to find that data before it goes to the cloud.

2. Are we overlooking sensitive information in our data?

According to the Ponemon Institute, 93 percent of organizations are unable to locate and analyze unstructured data within their storage – and 64 percent are unsure where sensitive data resides. Companies are constantly making the mistake of thinking their most sensitive information exists in structured, organized and monitored files. Then, during an audit or following a security breach, those teams recognize that sensitive or proprietary information was hiding in unstructured data stores.

The metric by which organizations measure their security posture needs to evolve, and encompass the five W’s: who’s accessing data, what they’re doing with it, when each user last opened each file, where files were moved within a system and why users followed certain motives. Approaching data security with this framework helps prioritize companies gaining visibility into their own data, and recognizing that ignorance is not bliss – instead, it’s an open invitation for a data breach.

3. Will my cloud provider’s security measures negate the intended cost savings of the cloud?

Data security is a major investment for most organizations – between compliance training programs, network and endpoint security controls and increased security personnel. However, many of these controls can’t apply to SaaS environments, or they come with a premium cost added to the baseline price tag of a service. For customers, these expenses are sometimes unexpected, and can eliminate the cost savings that were the initial goal of a cloud project. If such controls are waived and a security breach occurs as a result, the remediation process can prove taxing in ways that extend beyond cost savings.

There’s no reason to fear the cloud – but there’s also no reason to dive into a cloud project with the intention of cutting IT costs, only to sacrifice the security or privacy of your data.