Cloud computing is not just a fad any more: Market analyst firm IDC predicts spending on public cloud services...
will exceed $127 billion in 2018 and account for more than half of worldwide software, server and storage spending growth. But despite the growing popularity of cloud services, trusting a third party with company data can be very taxing for security teams. Many cloud vendors have made significant investments in security and are proving capable of protecting systems and information better than most IT teams. But there are still things a company can do to play their part in cloud data loss prevention.
Identify cloud risk
Evaluating cloud provider security is a key part of selecting a cloud vendor. Industry press and word of mouth are still valid methods for sizing up a cloud provider, but you may also want to look to the Cloud Security Alliance (CSA) for input. The CSA has not only helped establish secure cloud computing standards, but it also has an assessment and certification program for various types of cloud services and providers.
The CSA's assessment questionnaire has become a de facto standard for companies looking to assess a cloud provider. When evaluating a cloud vendor, consider asking them if the company has, or is willing to provide, a completed copy of the Consensus Assessments Initiative Questionnaire or if it has achieved a CSA STAR (Security, Trust and Assurance Registry) certification. Either of those forms of assessment will provide valuable information regarding how the cloud vendor matches up to industry security standards.
Cloud security strategies
In addition to evaluating a cloud provider's security against industry standards, companies can learn to assess a provider's use of fairly standard security tools and best practices that help protect data. Two of the most common concerns for companies using cloud computing are: a) how to ensure only authorized users are accessing cloud data and b) knowing where and when data in the cloud moves or is transmitted.
For the first concern, many "cloud enabled" organizations rely upon two technologies to ensure authorized access: identity management and multifactor authentication. Identity management helps mitigate access control risks by centralizing provisioning/de-provisioning to give organizations more control over role-based access and single sign-on capabilities.
Similar to identity management, many organizations that use cloud services incorporate multifactor authentication to help secure accessibility for cloud system administrators and users. Some products extend the login process past the typical user ID and password and include challenge/response questions, or use one-time use codes sent to the user by email or text. Those that bank online are probably familiar with multifactor authentication already: Financial institutions were mandated to use the technology years ago under federal financial data protection requirements.
To monitor movement of data in the cloud, the key technologies involved are data classification and data loss prevention. Products are available to help organizations automatically recognize data according to preset rules or patterns and to apply "tags" or labels to that data identifying its sensitivity level. Data loss prevention solutions also incorporate classification techniques that monitor and even block sensitive files or data that might be attempting to leave the cloud environment when it shouldn't.
Choose the right encryption option
Since effective security is all about layers of protection, perhaps one other key technology to consider for help with cloud data loss prevention is encryption. Whether it's for cloud-based email or a more traditional application being hosted by a cloud vendor, data encryption provides added protection from cloud vendor employees that might want to snoop around your information and hackers seeking to steal it.
In the past, an argument could be made that encryption products were few in number, hard to deploy and incompatible with many systems. This was all largely true. Today, however, many cloud providers offer encryption capabilities with options for either the cloud provider to manage the encryption keys or for the customer to do so.
Even though managing your own encryption keys requires administrative responsibility from the company's IT team, it provides the most control over encryption. As for encryption solutions, many products on the market are designed to protect unstructured data such as files and databases; others are for structured data like Social Security and credit card numbers. Even more prevalent are encryption solutions for email and messaging.
Cloud computing is definitely here to stay and its data protection challenges are something that all security and compliance teams will likely have to address at some point. Knowing how to assess and find the right cloud vendor for your needs can make cloud computing an effective option for your organization. Implementing a few key strategies and solutions such as identity management, cloud data loss prevention and encryption helps keep the cloud computing environment secure and IT leaders confident that data is protected.