A few tips to securing data in the cloud

0

In our view, we’ve finally reached the point where the move from internally built and managed technology to cloud based applications, platforms and compute services is now the norm. There are a few die hard “remainers” but the public has chosen – the only question now is one of pace.

Cloud platform adoption brings a host of benefits, from agility in deployment, cost efficiency, improved productivity and collaboration amongst others. Of course, the question of security is at the forefront, and quite rightly so. As I write this the rolling data breach news continues, with today being that of potentially compromised accounts at the National Lottery.

We are moving to a world where the governance of cloud based services becomes increasingly complex. For years organisations have sought to find, capture or shutdown internal pockets of “shadow IT”, seeing them as a risk to efficiency and increasing risk. In todays new world however, these shadows are more fragmented, with services and data being very much moving towards the end user edge of the corporate domain.

So with more and more data moving to the cloud, how do we protect against malicious activity, breaches, fraud or general internal misuse? Indeed, regarding the last point, the Forrsights Security Survey stated:

“Authorised users inadvertently exposing sensitive information was the most common cause of data beaches in the past 12 months.”

We need to think of the challenge in terms of people, process and technology. Often, we have a tendency to jump straight to an IT solution, so let’s come to that later. Firstly, organisations need to look at few fundamental pillars of good practice;

  1. Invest in User Training and Awareness – it is important that all users throughout and organisation understand that security is a collective responsibility. The gap between front and back office operations is often too wide, but in the area of security organisations must instil a culture of shared accountability. Understanding and educating users on the risks, in a collaborative way rather than merely enforcing policy, is probably the top priority for many organisations.
  2. Don’t make security a user problem – we need to secure the cloud based data and assets of an organisation in a way that balances protection with the benefits that cloud adoption brings. Often, the tendency can be to raise the bar to a level that both constrains user adoption and productivity. We often hear that IT are leading the positioning of the barrier irrespective of the business processes or outcomes. This tends to lead to an approach of being overly risk adverse without the context of disruption to business processes. The result? Either a winding back of the original solution or users taking the path of least resistance, which often increases risks.

On the technology side, there are many approaches to securing data in the cloud.  Broadly, these solutions have been bundled in the category of Cloud Access Security Broker (CASB), which is software or a tool that sits in between the internal on-premise infrastructure and the cloud provider, be that software, platform or other kind of as-a-service. The good thing about these solutions is that they can enforce controls and policies without the need to revert to the old approach of managing shadow IT functions, effectively allowing for a more federated model.

Over recent years, vendors have come to market to address the issue through several approaches. One of the techniques is through implementing gateways that either use encryption or tokenisation to ensure secure communication of data between internal users and cloud based services. However, with these the upfront design and scalability can be a challenge given the changing scope and volume of cloud based applications.

Another solution is to use an API based approach, such as that of Cloudlock (recently purchased by Cisco). This platform uses a programmatic approach to cloud security on the key SaaS platforms such as  to address areas such as Data Loss Prevention, Compliance and Threat Protection with User and Entity Behaviour Analytics (UEBA). The last of these users machine learning to detect anomalies in cloud activities and access.

Hopefully some food for though in the challenge of protecting data in the cloud, whichever path you take.

RSS Feed Subscribe to our RSS Feed

Posted on : 30-11-2016 | By : john.vincent | In : Cloud, Cyber Security, Data, Uncategorized

Tags: , , , , , , , , , , ,

Write a comment