By Venkat Krishnapur, Vice-President of Engineering and Managing Director, McAfee India
Cloud computing has become near-ubiquitous, with India’s cloud market poised to reach over US$7 billion by 2022. The use of cloud services has empowered organizations to accelerate their businesses with more agile technology at moderate costs. Cloud is making IT more strategic than ever and companies are structuring themselves around the rapid transformation, growth and agility the cloud delivers. However, this rapid migration is also presenting complexities and risks that few businesses are equipped to deal with, and the security of data has taken center stage. While cloud providers are enabling more security than ever before, there are aspects of Security that they do not cover, and it becomes the responsibility of the users to ensure those are mitigated.
The data dilemma
While it’s true that sensitive data can be stored safely in the cloud, this is not an inevitable conclusion. According to the McAfee 2019 Cloud Adoption and Risk Report, 21 percent of all files in the cloud contain sensitive data and sharing of sensitive data in the cloud has increased by more than 50 percent. While most of this data is stored in well-established enterprise cloud services such as Box, Salesforce, and Office365, it’s necessary to realize that none of these services guarantee 100 percent safety.
Irrespective of how robust your threat mitigation strategy is, the threat rates are too high to have a reactive approach. Access control policies must be ascertained and enforced before data ever enters or exits the cloud.
Think of it this way–just as the number of employees who require the ability to edit a document is much smaller than those who need to view it, it is likely that not everyone who needs to access certain data needs the ability to share it. Examine all permissions and access the context associated with data in the cloud environment. Control who has access. Access management requires three capabilities: the ability to identify and authenticate users, the ability to assign users’ access rights, and the ability to create and enforce access control policies for resources.
Large institutions that have a range of data, including sensitive consumer data to protect, and many cloud solutions to choose from, must balance potential benefits against risks of breaches and access integrity. What many organizations fail to realize when moving to the cloud is, to what extent they are responsible for securing their own cloud environment. Cloud providers (vendors) secure the infrastructure but securing data, and applications are all the responsibility of the cloud customer.
The Responsibility Equation
When it comes to security, CISOs are speculating if external providers can protect their sensitive data, while also ensuring compliance. There exists a misconception that the Cloud Service Provider is responsible for securing the cloud environment. This is where shared responsibility comes into play. In simple terms, this means that the organization and the vendor split responsibilities for cloud deployment. While the vendor may handle everything from physical networks, servers, and storage to operating systems, and even applications, but the organization will need to be responsible for the rest. In reality, no matter what level of service the vendor offers, the organization is ultimately responsible for the security and compliance of cloud deployment.
As it is with all aspects of cloud, responding to security incidents is also a shared responsibility. CISOs must learn to collaborate effectively with the Cloud Service Provider, to examine and respond to potential security occurrences. To collaborate effectively, they need to understand what information the vendor can share, and the limits within which they can assist.
Companies that are fulfilling their shared responsibility by securing their data are assuming substantially more benefits than those who aren’t taking data protection into their own hands. There are ways and means of mitigating security risks and the cloud is a feasible alternative for enterprises; the advantages from cloud-managed services far outweigh concerns.
Organizations need to regularly assess the security posture of their cloud environments, and that of their vendors, suppliers, partners all third parties. The Verizon breach is a fine example where the vendor’s mistake turns to be the organization’s headache. The shared security model exists for a reason. No matter who is responsible for the security of the cloud data, the organization is eventually responsible for what happens to their data.
CASB – a key enabler
Cloud access security brokers (CASBs) are on-premise or cloud-based security nodes, that sit between cloud service consumers and cloud service providers, to enforce security and compliance for cloud applications. These help organizations extend the security controls of their on-premises infrastructure to the cloud.
CISOs need to evaluate the full risk landscape in their on-premise and externally hosted cloud environments that can compromise security. Think of them this way–they act as central data authentication and encryption hubs for both cloud and on-premise applications, accessed by all endpoints, including personal devices like smartphones and tablets. CASBs are an essential element of a cloud security strategy, that helps organizations govern the use of cloud and protect sensitive data. These implement security procedures like authentication, authorization, encryption, device profiling, alerting and anomaly detection/prevention.
By using CASBs, organizations can:
- Evaluate and select cloud services that meet security and compliance requirements
- Identify what Shadow IT cloud services are being employed, by whom, and what are the risks they pose to data
- Identify potential misuse of cloud services, including both activity from insiders as well as third parties like external service providers
- Protect enterprise data in the cloud by blocking certain types of sensitive data from being uploaded, encrypting and tokenizing data
- Enforce varying levels of data access and cloud service functions based on a user’s device, location, and OS
Technology has come a long way since the dawn of computing that included conventional ways of data management. Today, cloud computing is revolutionizing the IT industry, shaking up the business landscape, and pretty much everything else it touches. Although migration to the cloud is helping CIOs in their digital transformation journeys, hastily jumping into it without the necessary maturity can throw all their efforts out of the window.
While the business advantage of cloud usage is significant, this rapid migration is also introducing complexities and risks that most organizations don’t have provisions to deal with. If properly addressed, these issues will not hinder your IT roadmap and data doesn’t have to remain anchored on-premise. The future of cloud rests upon introducing industry standards, that will help address regulatory, management and technological matters.
The stronger your cyber defenses are, the better you are at reducing the risk and the impact when something happens.
Disclaimer: CISO MAG does not endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. Views expressed in this article are personal.