Corporate cloud use has gained immense popularity in recent years, extending the systems on which enterprise data is stored at a time when regulatory requirements and increasingly sophisticated cyberthreats make data protection more critical than ever before.
The ease of cloud technology implementation further complicates matters. Any business unit or individual has the ability to set up a cloud-based service where organizational data can be created, stored and transmitted -- often without the knowledge of IT leaders.
The confluence of these factors has made threats to cloud data security a big factor when considering cloud services. Organizations must guarantee data access when and where users need it, while still protecting proprietary and sensitive information against hackers, outages and shadow IT.
"This has transformed overnight the ability to secure organizational data," Chris Johnson, chairman of the IT security community at CompTIA, an IT trade group, said.
Many IT executives, cybersecurity officers and analysts compare threats to cloud data security to an arms race, because organizations must continually up their arsenal against constantly escalating vulnerabilities. But they also say that new technologies and maturing best practices have strengthened the cloud's security posture.
Jeff Margoliesprincipal of Deloitte's Cyber Risk Services
"Cybersecurity is a shared responsibility between the cloud provider and the enterprise," Jeff Margolies, principal of Deloitte's Cyber Risk Services, said.
Margolies and other IT/cybersecurity experts said no one strategy will work for all data held by all organizations. Instead, companies must determine what information is most important, from a security standpoint, and incorporate their own cybersecurity capabilities with the cloud vendors' ability to provide required data protection.
The following are strategies and tools that can help offset threats to cloud data security:
Classifying the data and protecting it at corresponding levels. Executives at healthcare system HMS, based in Irving, Texas, started to analyze its data four years ago to determine what could go off-premises and what, due to heightened sensitivity or value, would never leave its on-premises systems, Cynthia Nustad, executive vice president and CIO at HMS, said.
"Inventorying, collecting, assessing all data in the company -- it's an endless task, but that's a foundational capability," she said.
Brian Walker, managing director for Accenture's technology strategy practice, agreed.
"The devil is in the detail when managing data," he said. "Some information must be available on an on-demand basis, other information might be historical and doesn't need immediate access and there's information that has to have a high degree of protection. That segregation, that stratification is vital, but it's done far less than you'd expect."
Walker explained that knowledge is critical to assign the right level of security protection and avoid high costs.
"Any time you add a control, add some of those restrictions to access, you're incrementally adding to your costs and it will add to the complexities so it should correspond to the value of the data," he said.
Vet cloud provider security practices and your contracts with them. Cloud proponents often point out that cloud vendors have more resources to put into security than many organizations -- particularly small and midsize ones -- but not all cloud provider security measures meet each organization's data protection requirements.
Walker advises companies to review cloud provider security policies and practices, as well as carefully analyze how the contracts are structured. Companies need to ask several questions:
- What security measures will the vendor be responsible for?
- What are the vendor's data security procedures, and how can the company audit these efforts?
- What data encryption methods are used?
- Who has access to the data in the environment, and what security checks are placed on those individuals?
"You have to be very specific about how you're going to operate with this third party. You need to be prescriptive," he said, adding that many companies, when signing on with a cloud vendor, "throw cybersecurity over the wall and hope it works."
Margolies said organizations also must consider the type of cloud they're using. For example, an organization that uses infrastructure as a service can expect the vendor to manage infrastructure risks, while the organization itself manages vulnerabilities throughout the rest of the stack.
Keeping up with the basics, but adding the latest technology tools. Companies often have data leak out of enterprise control, as business units and individuals store corporate information in their own cloud-based storage, Johnson said. But Johnson, who is also CEO of Untangled Solutions, said policies and guidelines -- and educating employees about them -- remain critical cybersecurity tools.
Traditional security measures can't be ignored, either.
"As a company, we take a defense-in-depth strategy: We have layers of security," Nustad said. "It's a healthy practice, but now you have other solutions emerging: tools to solve a problem that sits between that defense in depth and the cloud."
Margolies pointed to cloud access security brokers (CASBs) as one new technology to watch. CASBs offer security policy enforcement: Working between the users and the cloud vendors, CASBs make sure enterprise security policies are followed when users access cloud-based resources. They can be deployed either on-premises or in the cloud and consolidate security policies such as authentication, encryption and device profiling.
Broadening the discussion. Candy Alexander, a board member of ISSA International, said another important step for companies is to think about data security more holistically.
"It's a very strategic conversation to have, and it's not just an IT issue or a security issue," Alexander, who is also senior governance, risk management and compliance (GRC) consultant with Towerwall, an IT security services provider for small and medium-sized businesses, said. "It's a holistic business discussion. And when you have that conversation, you have to realize, whether it's on-premises or in the cloud, it's important to understand that ultimately it comes down to the data and the risks to that data."
Learn why security vendors and cloud providers are rallying around cloud identity standards, and how cloud backup providers bolster healthcare data security. Then, read about 11 top cloud security threats to keep on your radar.