Now, over 30,000 SaaS companies offer apps that are conveniently located in the cloud, enabling companies to quickly adopt new tools and store the application data elsewhere. In addition to storing application data, companies also turn to private or hybrid cloud configurations to collect and store business data.
New tools–and the data they produce–are creating incredible opportunities for companies to improve operations as well as the employee and customer experience. The cloud certainly offers a simple way to collect and store information, but with every new piece of data and each new app, organizations open themselves up to risk. From a breach to an internal bad actor, data loss, or non-compliance, vulnerabilities in the cloud–and with third-party providers–can create security and compliance headaches. Data protection in the cloud is critical to any company’s success, but companies must design protection strategies that meet today’s business needs.
The data fire hose
Currently, companies store an average of 60% of their data in the cloud–and the amount of data only continues to grow. That includes public information as well as private and sensitive employee, customer, financial, or other business data. If that data falls into the wrong hands, companies risk their finances and reputations. Weak security and other mistakes have cost companies a whopping $4.4 billion in fines, not to mention brand value in the eyes of customers. To prevent these incidents from happening, all cloud data must be secured against a breach, data loss, or bad actors, regardless of where it’s stored or managed, whether it’s in motion or at rest, and whether the company or a third-party vendor is responsible for security and compliance.
No company wants to open itself up to the liability and risk associated with a breach, data loss, or other incidents. However, a solid cloud data protection strategy goes beyond mitigating risk. Companies–and therefore their third-party providers–must comply with security and privacy standards, such as GDPR and HIPAA, all of which have different requirements based on geography, residency, and local laws. This means any company must know exactly how every single third-party cloud provider complies in each location where data is stored.
It’s clear that cloud-based data protection is critical for both security and compliance. However, given the sheer volume of data, applications, and vendors, protecting data in the cloud comes with a plethora of unique challenges.
The cloud certainly offers a simple way to collect and store information, but with every new piece of data and each new app, organizations open themselves up to risk.
The challenge of data protection
Protecting data in the cloud is anything but straightforward. Regulatory requirements state that companies, and therefore their third-party providers, must know where their data is at all times. Unfortunately, many companies may not have an accurate gauge of all the data they own, let alone where applications and data are stored and who has access to information. Given that most organizations use third-party cloud service providers, visibility is limited, so they don’t always have a clear view of system integrity, including user permissions and how company data and information are used or shared.
Infrastructure, as well as security, privacy, and compliance standards, also vary by vendor. From protecting confidential data, encryption protocols, to storage, networks, and data centers, even small differences can cause big security or compliance woes. Integrity is paramount–and every provider must have checks in place to ensure that only the right people have access or can delete or modify data. In addition, companies must comply with privacy regulations in every location where data is stored or passes through, which means their vendors must also comply.
Who ultimately is responsible for data protection in the cloud is murky at best, but that responsibility is shared between the company and provider.
Cloud security, compliance, and privacy
Protecting data in the cloud is more than just mitigating a cyberattack. Companies must now have stringent security, privacy, and compliance standards in place to ensure that sensitive information is protected from vicious attacks or even the wrong person gaining access.
Security and protection
Data security is the first tenet of data protection and involves physically protecting data. This includes the physical infrastructure and the cybersecurity measures that are in place to prevent unauthorized access or data loss. Third-party cloud providers are responsible for taking proper security measures, such as encryption, backups and failure prevention, and identity and access management. Companies (mostly in the case of corporate IT) can increase data security by taking a page from microservice architecture; buying a service that deeply specializes in a certain function and contains data specifically related to that. This way, more focus can be placed on the security of that one service rather than with a monolithic setup where teams would have to ensure the whole thing is secure, as a breach into any one area would expose the whole thing.
Beyond security, companies must have cloud compliance procedures in place to meet regulatory requirements in the areas in which they operate or store data. Compliance in the cloud doesn’t mean data is secure, but it does mean companies have met the legal requirements for protecting private information. In today’s technologically distributed world, protecting cloud data and maintaining cloud compliance is about more than securing the data center. Every vendor has different cloud compliance standards, each of which must be vetted to ensure they meet company compliance standards.
Compliance starts with determining the laws that must be followed, which standards the company will use to follow those laws, and then putting the right governance procedures in place. Regulations, such as GDPR in Europe and HIPAA in the United States require companies to comply with specific data storage and processing procedures to protect data privacy. In addition, many companies use ISO 27001 or NIST PS 800-53 standards as their frameworks for compliance and work with their cloud providers to ensure requirements are satisfied.
Data privacy ensures that companies are only collecting and storing personal data by consent, only the right people can access that data, and puts rules around how that data can be shared. Any personal data must be classified as such and companies must know exactly how their data flows through the cloud. If a company has customers in multiple countries, then any third-party cloud providers must comply with those countries’ storage and processing regulations.
Companies must now have stringent security, privacy, and compliance standards in place to ensure that sensitive information is protected from vicious attacks or even the wrong person gaining access.
How to protect cloud data
A successful cloud data protection strategy includes security, compliance, and privacy measures. However, distributed workforces changed how companies protect cloud data, requiring endpoint solutions to protect employee devices that are spread all over the world as well as access management tools to ensure they are protected from a breach or unauthorized access. By using our cloud security audit checklist, companies can achieve cloud-based security, compliance, and privacy.
Step 1: Perform a data audit
It’s hard to enable the right data protection strategies if you don’t know which data you have, where it’s located, and what type of information you’ve collected. By taking inventory of your data in every one of your cloud environments, you can gain a clear picture of all data that needs to be protected, categorize personal information, and ensure each of your cloud vendors has the proper internal controls in place to meet your security, compliance, and privacy standards.
Step 2: Establish your own governance and risk management standards
Every company must establish its own internal policies and procedures to ensure security, compliance, and privacy in the cloud. The best way to get started is to perform a security assessment and audit to determine any vulnerabilities, threats, or other issues so you can then put the right parameters and control in place. Not only does having an overarching governance framework in place help you create a standard for your own internal security and compliance procedures, but it also creates a standard by which you can evaluate your cloud vendors.
Step 3: Protect your attack surface
Cybersecurity in the cloud is complex and difficult to scale. However, you can use attack surface monitoring tools to help understand any risks or exposures in the cloud. Not only do these tools help you identify and address shadow IT, but you can also continually monitor your cloud environments and proactively mitigate risks.
Step 4: Analyze your cloud vendor standards
Once you’ve created your own governance and risk management standards, you can evaluate all of your cloud service providers. Check each service level agreement to determine the level of protection you have and determine encryption capabilities. Is data encrypted at rest, in transit, or at a file level? In addition, check your providers’ policies and compliance procedures, including certifications, that ensure they comply with GDPR, SOC2, and more.
Step 5: Set your own cloud security standards
Once you know your vendors’ security and compliance standards, you can determine if you need to layer in additional tools or tactics to protect your information. For example, PaaS or SaaS data encryption can protect your data on a more granular level while endpoint security solutions protect user devices.
Step 6: Create a comprehensive recovery program
Data loss can be just as big of a problem as unauthorized access or a breach–and loss can even happen accidentally. The best thing you can do is create your own policies around storage and backups, including recovery procedures in the event files are deleted inadvertently.
Step 7: Secure your own user permissions
You can secure your cloud environments using the best tools and strategies, but if you don't manage your user permissions well then your company is still at risk. Users should have least privilege access to all apps, data, and information to protect sensitive app data and you should implement sharing standards and parameters to prevent unauthorized access. You should audit your permissions regularly to prevent users from having unnecessary access, change permissions if their role changes, or deprovision them quickly should they separate from service. Any tools you use should also provide an audit trail for compliance purposes.
You should also implement multifactor authentication for all employees, ensure all messages are encrypted, and set specific password standards to keep employee credentials strong.
At Lumos, we take data security very seriously. In fact, our customers gain access to data points that give them further visibility into their cloud-based SaaS management - including user access and activity. Curious how this could help your organization? Let’s chat.