As more and more organisations turn to cloud-based IT, the security challenges organisations face are becoming a priority for many stakeholders across the enterprise. The headlines just keep coming and enterprises face severe operational and reputational damage from successful attacks. One of the largest beaches in 2016 occurred at the UK mobile operator Three, when hackers successfully accessed its customer upgrade database simply by using an employee login. This breach highlights the risks that organisations face from the human element of providing employees with credentials.
The Three attack occurred soon after another major breach at broadband provider TalkTalk where the details of more than 150,000 customers were stolen including the bank account details of around 15,000 customers. The result was 95,000 lost subscribers, which cost the company approximately £60 million. The chief executive will leave the company in May, but the brand still suffers from the reputational damage and many customers will simply not forgive an organisation that enables critical personnel data such as bank details plus their home address to be accessed by criminals.
These sorts attacks fuel concerns about the security of cloud-based IT but it’s clear that cloud is very much here to stay as the IT platform of choice for organisations. Recent research which polled 400 IT decision makers across the US and Europe has borne this out, finding that cloud is increasingly becoming the dominant IT platform, making security and data protection a top priority for organisations that utilise cloud. The survey found that, on average, 40 per cent of all organisations’ applications are deployed in the cloud and this number is expected to grow an additional 30 per cent in the next year. The course towards greater cloud adoption is set; now it must be secured effectively.
What’s needed is leadership. Organisations must take ownership of their security within their cloud activities. This must be a business priority for c-level executives, IT managers, CISOs and security professionals as they plan their cloud security strategies. Below are eight recommendations for ensuring cloud security. While these might seem a bit overwhelming, the alternative is even scarier: risky cloud use that leaves organisations vulnerable to attacks and the type of business and reputational damage that Three, TalkTalk and many others have suffered. With thorough planning and a new perspective on cloud security, your company’s data will be more secure in 2017.
Don’t put a bullseye on your data
Think about approaches that minimise the target value of an organisation’s data. Consider deploying services on virtual private clouds or internal/on-prem systems - entirely within a firewall, keeping information away from the spotlight of highly visible SaaS targets.
Protect corporate user identities or metadata
User identities are subject to hacking; enterprises must protect their corporate user identities since loss of user identity is likely to result in loss of the user’s corporate data. Similarly, collecting evidence on the existence of data and its properties can pose a threat as much as losing the data itself. Some cloud storage solution providers do not adhere to this strategy and keep all of their customers’ metadata centralised in a public place. Thus, indirectly requesting enterprises to put their faith in them, which poses a significant risk to data confidentiality and integrity.
Avoid risks associated with SaaS providers generating and/or managing encryption keys
Encryption keys generated in un-encrypted servers can provide attackers with easy access enterprise data. Similarly, having your SaaS provider manage your keys increases your susceptibility of losing control of your data. While cloud services providers boast high security, including physical protection of hosting facilities, electronic surveillance and ISO 27001 certifications, many provide no protection against government data requests, blind subpoenas, or clandestine spying. Make sure you own user identities, metadata, and encryption keys to ensure the highest levels of data privacy.
Control your endpoints and offices
Use enterprise mobility management (EMM) tools to eliminate shadow IT and create secure productivity spaces within corporate-provided and BYOD devices. Encrypt all data at the source to ensure the greatest levels of access of file security.
Lock down external collaborator access
Implement strict policies to enforce what data can and cannot be uploaded in a file sharing environment, control what domains/emails can and cannot be emailed to, audit all accesses to ensure there are no anomalistic events. Data loss prevention (DLP) tools can be used to restrict access behaviours.
Improve password security. Set rigorous policies around password strength and refresh rates
Consider adding multi-factor authentication that will require the user to use a combination of something they know like a static password and something that they have such as a smart card or a token that generates a one-time password.
Know your data protection options
Understand the limitations of cloud services to recover data lost in the event of an attack, user error, etc., as part of your vendor’s SLAs. Ensure that you protect data residing in the cloud – i.e. back up your SaaS applications, as well as services and applications running on public cloud IaaS – as part of a comprehensive organisational strategy for backup/recovery of data in all locations (on-prem and in-cloud).
Investigate multi-cloud strategies
When organisations run applications on multiple cloud services rather than relying on a single vendor, they reduce the risk of a vendor’s service outage causing them significant issues and downtime. This is a critical component of a cloud strategy that enables organisations to preserve cloud optionality while strengthening their business continuity models.
These eight recommendations will arm you with the strategies, techniques and processes to protect your business as its reliance on cloud-based IT continues to increase. The emphasis is on the business to ensure it secures its customers’ data and protects it systems from cyber-criminals. Adopting these recommendations will set your organisation well on the path to effective security and enable you to be confident that you have deployed the current best available security practices to protect your brand, your customers and ultimately your business as a whole.
Edit, April 4 2017: The original submission said TalkTalk CEO has left the company, when in fact, she is still CEO until May. The article has been amended.
Tom Grave, SVP Marketing, CTERA
Image Credit: TZIDO SUN / Shutterstock