How to address threats and secure your data in the cloud

Enterprise cloud adoption is exploding as companies pursue the promise of operational efficiency, agility, flexibility, and profitability. But every technology has its drawbacks, and a lack of ownership and control accompany the benefits of cloud, opening attack vectors and drawing the attention of hackers.

The average enterprise organization experiences 31 cloud-related security threats each month, including insider threats (both accidental and malicious), privileged user threats, and compromised accounts, according to McAfee’s 2019 Cloud Adoption and Risk Report.

The report, which analyzes areas of risk in cloud computing, emphasized the need for organizations to match the steady increase in cloud adoption with a stronger focus on data security.

The use of cloud services is ubiquitous

The cloud services industry is growing exponentially. According to Gartner, the worldwide public cloud services market is projected to jump 17.5% in 2019 to total $214.3 billion, up from $182.4 billion in 2018.

Large volumes of sensitive data are already sitting in the cloud and will continue to grow. According to McAfee, the total amount of confidential data stored in the cloud has risen 28% over the past two years, and 21% of all files in the cloud now contain sensitive data.

We are already seeing bad actors compromise data in the cloud. Organizations including Dow Jones, Verizon, Tesla, Honda, Accenture, and Uber have all reported cloud-related breaches.

Through 2020, 80% of cloud breaches will be due to customer misconfiguration, mismanaged credentials, or insider theft, not cloud provider vulnerabilities. — Gartner

Cloud security is a two-way street

As sensitive data continues to move from servers we own to services we use, so does the risk we need to address. While cloud service providers have launched new security technologies to counter attacks, they cannot fully protect their customers’ assets.

Security in the cloud is a shared responsibility, and you need to understand your own accountability. Providers protect the physical infrastructure — ensuring security of the cloud. However, no matter what platform you use, it’s up to you to secure user access, as well as the data you put in the cloud.

Image source: McAfee’s 2019 Cloud Adoption and Risk Report

Developing a secure cloud approach

Effectively addressing cloud security challenges requires a strategy that carefully considers the cloud service models being used, and includes the appropriate security architecture, controls, and policies.

While security concerns vary based on the model — infrastructure as a service (IaaS), platform as a service (PaaS), or software as a service (SaaS) — several controls can contribute to a secure architecture across all three:

• Identity and access management (IAM) solutions: single sign-on and access management
• Hybrid multi-cloud solutions: virtual firewalls and security event management
• Data protection controls: data discovery and data loss prevention (DLP) tools
• Cloud access security brokers (CASBs)
• Encryption/key management
• API gateways/API management solutions

While many companies are using platforms such as Microsoft Azure and Amazon Web Services (AWS) to rapidly adopt the cloud from the top down, it is important to take a programmatic approach to cloud security. Perform a comprehensive assessment to establish security requirements for all impacted data, processes, and applications prior to migration.

Focus on building a strategy that aligns with your overall security and business goals. Start with the architecture and develop effective data security, IAM, and migration strategies before moving applications and data to the cloud. Put in place the development resources, tools, and processes that facilitate the provisioning, management, orchestration, and automation of workload deployment and security.

Staff should also be trained, hired, or contracted to ensure your organization has the skill sets needed to understand and manage the different cloud models and vendors. The Cloud Security Alliance — a not-for-profit organization “dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment” — has useful guidelines.

Securing data is your responsibility, but you don’t have to do it alone

Cloud adoption and increased data protection go hand in hand. As more and more sensitive data moves to the cloud, protecting it is critical not only to cybersecurity, but to keeping up with evolving regulatory requirements and maintaining customer trust. By taking ownership of data security, you can reap the benefits of the cloud without compromising your business.

Many organizations lack the tools and processes they need to ensure effective security in the cloud. Professional assessments conducted by a vendor-independent technology partner can help you gauge your current capabilities, and develop an actionable roadmap for maturing your organization’s cloud security posture.

To learn more about security best practices, contact your SHI account executive.

Anne Grahn contributed to this post.