Cloud Security and How Keep Your Data in the Cloud Secure

Out of sight can’t mean out of mind when it comes to your customer’s data.

Just because you store data in the cloud instead of onsite doesn’t mean you can trust its security. Cloud security has become increasingly important, because cyber threats are proliferating as organizations run more business and store more data virtually.

Companies experience an average of more than one cyber-attack per month, incurring annual costs of approximately $3.5 million as a result, according to the results of a survey of 591 IT and IT security practitioners; this survey was sponsored by BrandProtect and conducted by the Ponemon Institute. Seventy-nine percent of respondents said they lack comprehensive strategies to identify and mitigate those attacks.

Data from 2017 indicates that almost 60 percent of cloud-utilizing enterprises don’t know the location of their stored data or whether it’s secure, TechRepublic reported. Such cloud storage confusion is leading to major security issues.

Organizations lack any awareness of their responsibilities for data protection, assuming instead that the third-party cloud host is solely responsible. In actuality, the organization and the cloud-service provider must secure data together.

A company that handles other people’s data needs to assure its customers on two fronts, compliance and security; in essence, the company is compliant and the customer’s information is not at risk. Also,customers are responsible for protecting their own data; they must ensure all of their outsourcing venues are following proper protocol.

A general lack of awareness of cloud security responsibilities and protocols has contributed to the rash of public data breaches, which disrupt affected businesses, resulting in financial losses and damaged reputations.

An incident affecting IT infrastructure hosted by third-party providers is now one of the top three security issues; according to a Kaspersky Lab Report on the cloud zoo scenario, with 24 percent of businesses experiencing an incident over the last 12 months. Half of those businesses suffered data loss, leakage, or exposure as a result of a third-party cloud infrastructure breach. Seven out of 10 SaaS and cloud-using businesses do not have a plan for dealing with such an incident, Kaspersky found. A quarter haven’t even checked the compliance credentials of their cloud partners.

These four methods can keep your data secure in the cloud, so you can avoid costly data breaches and assure your customers that their information is safe.

1) Minimize exposure

The best way to protect data is not to share it. Though the cloud is appealing because it offers flexibility and cost savings, those benefits must outstrip the risk of compromising your customer’s data.

If you cannot guarantee cloud security, you should avoid storing sensitive data such as protected health information (PHI), credit card numbers, or log-in credentials for customer accounts. You could lose valuable business time and customers if such data is compromised.

You also could be fined for violating industry-specific regulations like the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH) Act, or standards like the PCI DSS. If you can’t confirm compliance when sharing data, then you shouldn’t take the risk.

2) Back up data locally

Establishing internal protection may seem to reduce the savings associated with migrating to the cloud. However, it actually enhances the benefits because you can assure customers of your compliance and the safety of their information.

Regarding cybersecurity, you must ensure that your data cannot be breached externally or internally. Storing data locally, data that you can access if your cloud security is compromised, provides additional protection.

3) Encrypt data or use cloud services that encrypt data

Leaving data unencrypted on the cloud is a common mistake, CSO reported about cloud security controls, citing cloud security research by  RedLock’s Cloud Infrastructure Security team. RedLock’s CSI found that 82 percent of databases in the public cloud are not encrypted and that 40 percent of organizations have inadvertently exposed at least one public cloud service, due to misconfiguration.

According to CSO, improperly configured cloud environments contributed to data breaches such as the following.

• Verizon - Exposed up to six million customer details
• World Wrestling Entertainment (WWE) - Compromised personal data of more than three million wrestling fans
• Defense contractor Booz Allen Hamilton - Exposed 60,000 files belonging to the Pentagon, including sensitive files tied to a U.S. military project and six unencrypted security credentials

Avail yourself of all possible encryption tools and management services. Control encryption keys as well, CSO suggests, so that even if encrypted data is accessed, it cannot be used.

4) Test

It's best to find any weaknesses in your cloud security before hackers do. Testing helps you identify and address vulnerabilities before they become liabilities.

Vulnerability scanning and assessment reviews external and internal holes that could allow a breach. Many companies are requesting vulnerability scans by their vendors,  either quarterly or annually, because scans help protect against the latest cybersecurity threats.

Consider two levels of vulnerability scanning and assessment for your network and system resources.

• External and Internal Network Vulnerability Assessments
• PCI DSS Approved Scanning Vendor (ASV) Vulnerability Scans

Implement penetration testing as well, adhering to regulatory and compliance standards such as PCI DSS, FISMA, MARS-E, HIPAA, Sarbanes-Oxley, and ISO.

When conducting penetration testing, develop a custom attack plan for each asset in your environment. Then test for vulnerabilities, configuration issues, and exploits that could provide unauthorized access. Document evidence of penetration and formulate remediations.

Businesses and organizations will continue to move operations into the cloud because of its offered benefits, but security will become increasingly important.

Just because your data is in the cloud doesn’t mean it is secure. Take these precautions and keep your data secure, so you can maintain the trust of your customers while retaining their business.

Want to learn more about cloud security? Download our SOC for CyberSecurity Guide.