It is easy to appreciate why cloud is quickly becoming a backbone for many companies today because of its superior flexibility, accessibility, and capacity compared to traditional online computing and storage methods.
However, the transfer of services and the data contained in them outside the company network and management of companies raises concern among many CIOs, especially when it comes to cybersecurity and information security.
This concern is well-justified and very topical as cloud security once again hit the headlines.
The UpGuard’s Cyber Risk Team discovered recently that personal data of 198 million US voters, including analytics data that suggests who a person is likely to vote for and why, was stored on an unsecured storage service. And in fact, the discovery revealed that the data repository lacked any protection against access and anyone with an internet connection could have accessed the sensitive personal data.
The main problems which caused the data exposure are unfortunately not rare nor uncommon. According to UpGuard; forgotten databases, third-party vendor risks and inappropriate permissions are the key factors that have resulted in thousands of previous data breaches and once again created this nearly unprecedented data breach in the US.
This could never happen to us, our cloud is secure, right?
When analyzing risks associated with cloud services, it should be considered that when the data used in cloud services is stored and processed in a service maintained by another party, the customer has very little control over how the cloud service is managed. In such a case, as many times witnessed, it is possible that data is misplaced, distorted, destroyed or disclosed to unknown third parties and therefore organizations should separately consider how significant these risks are and what they would signify for their organization if realized. But if a customer purchases a standard hosting service, he can determine exactly in which servers the information is stored and even define which administrators of the hosting provider has access to the data. This cannot be done in cloud services.
It is important that organizations carefully consider what data or services they intend to transfer to a cloud so that cloud services produce the best possible benefits and, also, organizations are able to keep risks under control. Furthermore, the security features of cloud services must be taken into account because the default settings of service providers may not offer the best protection there is.
Ensure your cloud security with the following steps:
- Identify and enable built-in security controls for cloud services.
- Only partner with trusted cloud service providers who can prove their liability (e.g. with a certificate such as CSA STAR)
- Make sure the contract includes clear responsibilities of all parties for protecting data at all stages of its life cycle and constantly monitor the level of information security
- Consider carefully what information you put into the cloud and what information you share with your partners. Make sure that you identify and comply with all applicable laws and regulations (e.g. GDPR and PCI DSS)