Three Keys to Managing Data Security in the Cloud
Scan any business or technology journal today, and you’ll find a growing and impressive list of reasons to move at least some of your business to the cloud: bigger storage, better productivity and collaboration, lower IT costs and faster time to market. But if you’re still eyeing the risks involved in moving your company’s data out of your direct control and into the cloud, you’re not alone.
One recent survey showed that an overwhelming 93% of respondents are concerned about cloud security. Another showed that 60% of businesses are tapping the brakes on cloud adoption because of questions around data security and privacy.
Of course, it’s always critical to identify and consider how to manage the risks, but that shouldn’t keep you from moving forward with cloud initiatives. Instead, use your concerns as a prompt to examine how your company plans to use the cloud and what it will take to keep your data safe.
What are you worried about?
IT teams keep data safe on premise by knowing which data is sensitive, where it’s stored and who has access. But as data and applications move to the cloud, those details get harder to nail down.
Lack of visibility
The downside to employees being able to easily install applications themselves is that IT may not even know when sensitive data has moved to the cloud. And if IT doesn’t know data has moved, how can they make sure appropriate protections are in place? For instance, an accounting team that sets up NetSuite on its own may select user settings that allow improper access to financial data. Similarly, an employee using Dropbox could easily store confidential files in an unsecured public folder.
Loss of control
Moving company data to the cloud raises some big questions. For instance:
- Who and how many people within the cloud service provider’s organization will have access?
- Where will data be stored, backed up or restored after a loss?
- What happens to data that’s no longer needed?
- Who owns sensitive data and intellectual property that’s stored by the provider?
Concerns over multi-tenancy
Other concerns arise when companies share infrastructure, data, or applications in the cloud. For instance:
- Can other organizations that are using a shared service access your data?
- Does the shared service provider have weak controls that could create an avenue for attack on your data?
Your cloud service provider, who may have far greater resources to bring to bear on security than you do, has some responsibility for data security in the cloud. But that responsibility is understandably limited to things the provider has control over, like their own servers or other cloud infrastructure components. The reality is that while you may sign an agreement with your cloud provider that says you will jointly protect your data, ultimately much of the responsibility lies with you. That’s why it’s important to do your part to keep your data secure.
Here are the 3 keys to managing risk in the cloud
1. Regain visibility into your data
Begin by asking the following questions within your own company to help determine your data security exposure.
- Are people already using cloud services? If so, why?
- Does any company data already reside in the cloud?
- If a move to the cloud is in the works, who’s responsible for choosing a vendor and deciding which data will move?
Next, make sure you understand the risks associated with storing different kinds of information in the public cloud. For instance, storing previously disclosed financial data from a publicly held company in the cloud is probably fine, but you’ll want to think twice before allowing confidential financial data to move off premise.
You should also clearly understand any compliance constraints that might affect where you store data. What rules and regulations apply to your company, clients and industry? For instance, hospitals and insurers must comply with the Health Insurance Portability and Accountability Act (HIPAA), which requires encryption for data in motion and at rest. Any companies that deal with credit card information must comply with the Payment Card Industry Data Security Standard (PCI), and companies in Europe need to be mindful of the strict standards set forth in the EU Data Protection Act. You may even have some clients whose service level agreements (SLAs) don’t permit cloud computing at all.
Once you understand the compliance requirements for your company, the next step is to establish or strengthen your data security policies. Using well accepted security standards will provide guidance and a solid foundation to develop and appropriately maintain your security policy. One well utilized standard is ISO27001/2, but companies with government contracts may want to study the NIST cybersecurity framework and FedRAMP requirements. Businesses in the healthcare space should look at HIPAA additionally, and e-commerce companies will need to consider adding PCI requirements.
One of the security policies with the most immediate impact on employees managing data more securely is data classification. It ranks data by sensitivity level and spells out how to handle the data based on such ranks (classes). For instance, personally identifiable information, which is typically classified as confidential information, may include a handling procedure that it cannot be sent via an email and/or cannot be stored in the cloud without encryption. Often documented in a table form, employees can readily refer to the table and handle the data accordingly when they are dealing with non-public data. Finally, build in a mechanism to monitor compliance with these controls so you know how and when to adjust them.
2. Perform your due diligence
The best way to deal with loss of physical, on-premise control is to select a stable, reliable service provider that can protect your data at least as well as you can. Begin by reviewing the provider’s security posture, including technical architecture, encryption, audit procedures, data ownership and deletion policies, and plans for business continuity and disaster recovery.
As you begin to evaluate service providers, use the following questions to help guide your decision-making:
- Are these controls in place and operating?
- Are there any gaps or exceptions?
- Consider business practices as well – for instance, how does the provider screen new hires and handle identity and access management?
- Do they conform to standards like PCI or ISO that align with your compliance needs?
- Are their finances stable?
One of the most efficient ways to evaluate a provider’s security posture is to review its independent reports such as Service Organization Controls (SOC) or security assessment reports. If they aren’t available, pose your own questions and verify responses or move on to another provider.
Make sure you see this information reflected in your contract before you sign an agreement, and then continue to monitor and review their security posture at least yearly. Keeping tabs on these details is especially important if you’re using multiple cloud providers. Don’t forget about the subservice providers that your provider is using. Remember, your data security is only as strong as your weakest link.
3. Address multi-tenancy
Addressing this concern starts with understanding that cloud computing has and continues to mature for managing multi-tenancy – particularly when it comes to enterprise providers like Amazon and Microsoft. However, not everyone can afford these services, so it’s important to be sure that smaller providers can reliably prevent other customers from accessing your data.
Companies that subscribe to software hosted in the cloud (software as a service, or SaaS) should look for database segmentation, while companies using infrastructure as a service (IaaS) should look for separation of virtual machines at the hypervisor level, along with a clear explanation of how that separation is achieved. This information will help you know where your cloud provider’s responsibility for your data ends and yours begins.
Bringing It All Together
While the risks around data security in the cloud are indisputably real, cloud computing has come a long way – and providers now have a great deal more expertise in managing those risks. Paying close attention to how your company and your service providers handle data in the cloud, will help you craft a robust risk management strategy that addresses all of your concerns – and protects your company’s information no matter where it resides. With cyberattacks on the rise, it’s also likely that at some point your company may face a security breach. Therefore, detecting the security incident in a timely manner and having a solid security incident response plan will be critical.
If you need some outside help, Bridgepoint Consulting has a team of industry experts who can help you navigate the complexities of cloud risk management. We provide advisory services to help companies of all sizes solve complex challenges and support a broad range of organizational transformation services. Learn more about our comprehensive Risk & Compliance services here.
Meet the Authors
David Roe has over 25 years of experience in internal audit, accounting management, and corporate governance/compliance. As Managing Director for Bridgepoint’s Risk & Compliance practice, David leverages his expertise in understanding business issues, people management and technical skills to help companies achieve sustainable risk management and compliance solutions. He can be reached at email@example.com. Connect with David on LinkedIn
Vicki Humphrey has more than 20 years of experience managing Cybersecurity and IT compliance projects, as well as IT strategy and system development projects.
As a Manager for Bridgepoint’s Risk & Compliance practice, Vicki helps our clients with their IT risk strategy and execution. She can be reached at firstname.lastname@example.org. Connect with Vicki on Linkedin
You May Also Like:
Follow us on Twitter and LinkedIn for the latest insights, best practices and resources to help grow and manage your business.