Remaining compliant in the cloud
High profile data breaches litter the headlines on a daily basis, forcing some of the world's most famous brands to disclose that millions of customer records have been exposed, and resulting in massive regulatory fines. This is why for CIOs of large organisations, cloud security is a major concern and a possible barrier to adoption.
As they move their workloads on cloud platforms, they need to make sure that their data, workloads and processes meet any regulatory and compliance requirements, says Andrew Sjoberg, CTO at DRS, a Cognosec AB company.
"The most important thing businesses need to do is to understand the challenges. The first challenge is understanding that responsibility for security and compliance is shared, although the onus is ultimately on the organisation, not the cloud provider. Some businesses simply don't understand the responsibilities, and end up with critical security gaps in the cloud, by assuming it's the provider's responsibility."
The second challenge, he says, is to understand the ways in which data can be compromised within the organisation. "Perhaps the most common way data can be compromised is through staff members who inadvertently or deliberately put company data at risk. Some ways are more widespread though, such as staff downloading data from a secure cloud service and then uploading it to a less secure service. Make sure they are educated not to use lesser known, potentially insecure cloud services, and understand that using them poses a risk to corporate data, and could expose their company to a non-compliance fine."
Another way employee behaviour puts corporate data at risk is by downloading it from an enterprise cloud service to a personal device that has no endpoint security, and is not managed by the company. "Ensure that your organisation has a BYOD policy in place that carefully governs and secures all personal devices that attach to the company network. Failure to do so could see corporate data lost or stolen."
According to Sjoberg, businesses also need to ensure that any employees who are privileged users of a cloud service don't deliberately or by accident change security configurations in a way that might weaken security.
"Moreover, always enforce the principle of least privilege to ensure no employee can access corporate data that is not strictly needed to do their job. Privileged users can be a major threat, and do serious damage, as they have high level permissions that can be abused with malicious intent, or by accident."
Shadow IT, or IT systems and solutions that are brought into and used inside the business without approval, is another compliance concern. "In the majority of cases, there isn't any malicious intent by users wanting to deploy unapproved technology and applications-as-a-service. They are only trying to be productive, and often feel they company isn't supplying the right tools."
However, he says the abundance of easily provisioned cloud applications has resulted in security and compliance risks to businesses. "A recent study revealed that a whopping 80% of individuals admit to using SAAS applications in their jobs that haven't been sanctioned by the company. And the majority of companies have no clue about just how much shadow IT is being used."
Companies need to be vigilant, and ensure that employees are not putting them at risk of falling foul of compliance, Sjoberg adds. "As the number of breaches involving the cloud continues to rise, they must train their staff, and start education programmes as part of their cloud security and compliance initiatives. If staff know the drill, and understand how to be secure when using company data in the cloud, they are unlikely to make a mistake that could end up costing the company millions."