The 2015 U.S. Open capped off with a thrilling finish against a backdrop of breathtaking views of the Pacific Northwest. Chambers Bay Golf Course in Washington State played host. Anyone familiar with this course knows that “there aren’t traditional golf hazards, like water and trees, but there is trouble everywhere at Chambers Bay,” as one sports blogger wrote.
It’s a similar scenario for IT and security pros responsible for management of their organization’s cloud usage. Cloud apps are ubiquitous and the associated IT challenges are many. More than half of respondents to this Ponemon study say their organization currently transfers sensitive or confidential data to the cloud. Still, more than half of IT professionals admit to not having a complete picture of where their sensitive data lives.
In the spirit of the U.S. Open golf tournament and the 18 tricky holes at Chambers Bay, Perspecsys will caddy for a full round with tips and tricks to avoid the hazards – the privacy, compliance and security hazards of cloud computing – and guide you confidently through the course to realize the full benefits enterprise cloud adoption can offer.
Common Cloud Hazards
Click through for a full round of tips and tricks to help you avoid the privacy, compliance and security hazards of cloud computing and guide you to the benefits of enterprise cloud, as identified by Perspecsys.
Users Don’t Realize the Risks
The Front Nine: Hazards
Hazard #1: Users don’t realize the risks.
Business users see cloud apps as productivity enhancers. Meanwhile, IT doesn’t know how corporate data is being used in the cloud. Business users are signing up for cloud services and not following formal IT and security policies.
Cloudy Terms and Conditions
Hazard #2: Cloudy terms and conditions
The policies and standards your organization adheres to regarding the treatment of data are likely not shared by the cloud service provider. Yet, when users sign up for cloud apps, they agree to the associated terms and conditions.
Hazard #3: Virtual exploits
Virtualization technology is a core component of a SaaS cloud service provider’s infrastructure. Virtualization carries its own threats and risks. As cloud users, don’t be left in the dark on what virtualization products your CSP is using and take steps to mitigate risks if required.
Authentication and Access Control
Hazard #4: Authentication and access control measures
A Perspecsys study shows that almost 31 percent of respondents do not allow employees to access corporate data in cloud apps from their mobile devices. Simply blocking access will not be a viable option for long, so it’s time to be proactive and put long-trusted security measures in place to make sure that no matter where your data is or on what device it resides, it is protected.
Cloud Data Control Challenges
Hazard #5: Cloud data control challenges
The cloud’s compelling efficiency and cost benefits are running into serious data compliance and privacy concerns that are inhibiting its widespread adoption. Adopting a public SaaS cloud equates to handing over your data – even the sensitive and regulated data – and organizations are grappling with issues created when they relinquish control of their sensitive data to cloud service providers.
Data Residency Restrictions
Hazard #6: Data residency restrictions
Companies frequently find that certain types of customer information needs to be kept within a defined geographic jurisdiction, making the use of cloud solutions based in other parts of the world extremely difficult. Increasingly strict residency requirements, being put in place as a result of surveillance and data privacy concerns, are a significant challenge to cloud adoption.
Data Privacy Responsibilities
Hazard #7: Data privacy responsibilities
Business data often needs to be guarded and protected more stringently than non-sensitive data. The enterprise is responsible for any breaches to data, whether they store it onsite or in the system of a CSP, and must be able to ensure that strict security measures are in place regardless of where the data resides.
Industry and Regulation Compliance
Hazard #8: Industry and regulation compliance
Organizations often have access to and are responsible for data that is highly regulated and restricted. Many industry-specific regulations such as GLBA, CJIS, ITAR and PCI DSS, require an enterprise to follow defined standards to safeguard private and business data and to comply with applicable laws.
B2B Contractual Clauses
Hazard #9: B2B contractual clauses
Businesses providing services for other businesses are increasingly seeing contractual clauses requiring business data that is maintained by the service provider to be treated in certain ways. For example, if business data is placed in third-party cloud systems, additional safeguards need to be put in place to ensure it is adequately protected.
The Back Nine: Winning Tactics
Winning Tactic #1: Openness
Just as the U.S. Open is open to any golfer, IT needs to look for conditions related to openness, such as adherence to industry standards and the ability of security solutions to integrate with one another so that trust in the cloud is established.
Get a Grip on Your Data
Winning Tactic #2: Get a grip on your data.
With information flowing more freely than ever in today’s digital economy, tracking sensitive data becomes an increasingly difficult task. Get familiar with data-centric security tools that work inside and outside the company’s walls: in particular, cloud data encryption and tokenization.
Winning Tactic #3: Test.
“Testing for network, logical and architectural security risks will be a very important strategy,” says John Overbaugh of Caliber Security Partners. “Security testing in the cloud does change things, but it’s not impossible,” he continues. “It’s important to plan ahead, to communicate the changes in your test strategy, and to set appropriate expectations with your management. Above all, it is critical to communicate before and during your testing – primarily with your cloud provider, but also with your IT and security organizations.”
Back It Up
Winning Tactic #4: Back it up.
Having backups of your data is always a good idea whether it is stored in the cloud or not.
Winning Tactic #5: Use a multi-cloud strategy.
A multi-cloud strategy minimizes the risk of widespread data loss or downtime due to a localized component failure in a cloud computing environment. Develop a security platform that allows the business to implement consistent data protection policies across multiple cloud services, preferably one that does not involve complex key management or policy administration.
Winning Tactic #6: Educate employees on security.
People, processes and technology all need to play critical roles in ensuring adequate safeguards are in place. Proactive steps can be taken to avoid costly mistakes.
Data Governance Policies
Winning Tactic #7: Establish comprehensive data governance policies.
Governance needs to be clearly established and policies need to be put in place to ensure compliance with internal and external data privacy mandates. Data should be classified based on sensitivity and the correct data security techniques need to be applied to each class of data.
Data Security Services
Winning Tactic #8: Implement data security services.
Consider offering security services such as “encryption as a service” or “tokenization as a service” to business units within the enterprise to enable compliant cloud use/adoption while protecting data being processed and stored in the cloud.
Winning Tactic #9: Do encryption right.
Do not store encryption keys in the software where you store your data. IT teams need to keep physical ownership of encryption keys, as well as vet the strength of the encryption techniques being used. And don’t forget data in use. Data in use is, effectively, the data that has been loaded into a process and is in the memory of the program that is running. In general, this data is in the clear while being processed and is typically not protected by techniques such as the in-cloud-based encryption provided by the cloud service provider. Make sure you own the entire encryption process of your sensitive and regulated data.