From accidental leaks to full-on data breaches, maintaining security across cloud services is becoming a headache for enterprises. What questions should organisations be asking of their cloud service provider and, ultimately, whose responsibility is cloud security anyway?
With the increasing prevalence of Cloud services, as well as the growing threat of data breaches, organisations are becoming more aware of the risks associated with poor security infrastructure. However, these threats can be mitigated by having the appropriate security protocols in place, through negotiations with the cloud provider and utilising a cloud access security broker (CASB).
Cloud services are ideal for organisations that need scalability, flexibility and ease of integration without having to invest massive resources into hardware. But cloud services also bring inherent security challenges.
Relying solely on cloud services effectively hands over the keys to another company. There can also be conflict over who is responsible for backups and restoring lost data.
According to the General Data Protection Regulation (GDPR), and therefore the Data Protection Act 2018, the data controller (the organisation that owns the data) is ultimately responsible for the security of the data. It is not the cloud service providers, which are considered as data processors. Therefore, it is incumbent upon the data controllers to be ultimately responsible for ensuring their data is kept safe and secure.
If a data breach occurs, even in cases where the data controller is not at fault, it will have to demonstrate due diligence. Evidence would be required to show that the organisation had thoroughly researched the security practices of any potential third party and agreed the expected security measures in writing.
It is also important to ascertain in which country, or countries, the data is physically stored. This also applies to data backups.
“The data owner has the ultimate responsibility for it, so there is no hiding if you haven’t done your due diligence or if you haven’t assessed the risk,” says Colin Tankard, managing director of Digital Pathways. “If you had done all of that and there was still a breach, then you have your due diligence and you’ve got evidence of what you’ve done.”
Under the Data Protection Act 2018, UK companies cannot transfer their data outside the European Economic Area without adequate protection, such as data-sharing agreements. There may also be cases in which a country’s laws require that certain kinds of data be hosted within its borders.
“People need to be very careful about where their data is”
Colin Tankard, Digital Pathways
There may be other occasions when hosting data in one country is not appropriate if that data is accessed by users in another country. Export control legislation needs to be considered in this context. If the information to be stored may be subject to export control, then expert advice should be sought.
“The first thing is to determine where your data is being stored,” says Tankard. “The other thing is that people seem to forget about where that data will then be backed up. Although data is stored in the UK, the backup for this cloud provider might be in India or America. People need to be very careful about where their data is. They should ask clear questions, and have it confirmed exactly where their data is residing.”
All cloud service providers all offer broadly similar services, but their actual responsibilities are highly dependent on what is agreed in the contract and any additional services the data controller has chosen.
“Security is a key area that IT will have to look into, whichever platform they are looking at,” says Alex Dalglish, services director of Comparex UK. “That will boil down to what protocols are in place and how they are securing their network. It is, broadly speaking, the responsibility of the customer’s IT department to ensure they have the relevant lockdown security measures.”
Read more about cloud security
Organisations must do more to secure their cloud environments as malicious actors increasingly focus their attention on exploiting cloud vulnerabilities, says McAfee.
The majority of organisations find securing the cloud difficult and more than a quarter feel the shared security responsibility model is unclear, according to a survey of information security professionals.
Find out how an insecure cloud deployment was behind the mass breach of Ecuadorian citizens’ data, and what business leaders can learn from it.
The responsibility for restoring data is another grey area that needs to be explored. In cases where a technical issue is encountered by the cloud service provider which results in loss of data, it is obviously the role of the cloud service provider to restore it. However, when it is the data controller’s fault, a cloud service provider may sometimes be unable to restore the lost data unless the data controller has explicitly requested this additional service in its contract.
Tankard says: “We’ve come across this where people maybe have messed up the database and the service provider has no real way of helping them because they didn’t tick the box.”
Requesting such a service often comes with additional capital expenditure. It is worth comparing the annual cost of these extra services with the use of in-house systems to restore lost data.
For those already locked into a contract with a cloud service provider, determining the renegotiation period should be a priority. This can be complicated with an ongoing rolling contract, but the issue is not insurmountable. Careful reading of the contract should identify when the renegotiation periods are.
“Your security has got to be decoupled from the cloud environment”
Colin Tankard, Digital Pathways
The bigger cloud service providers, such as Google Cloud Platform and Amazon Web Services, typically have the most robust security policies in place. However, they cannot offer the same degree of contractual flexibility as some of the smaller cloud service providers can.
Smaller cloud service providers may also be able to offer more advanced and adaptable services, but their data security can be weaker because they have less available resources.
Having multiple layers of security is always preferential because it avoids relying on a single system or provider for the entire security infrastructure.
“I truly believe that your security has got to be decoupled from the cloud environment,” says Tankard. “If you’re using Amazon or Microsoft or whoever it might be in the cloud, you shouldn’t trust their security. You really need to control something in this equation of where your data is residing.”
It is for this reason that using a CASB is recommended. CASB is a service that acts as a gatekeeper between an organisation’s local infrastructure and a cloud service provider. It allows organisations to extend their security policies beyond the reach of their own infrastructure.
CASBs typically offer:
Firewalls to identify malware, blocking it from the network.
Authentication to checks users’ credentials and ensure they access only the appropriate resources.
Web application firewalls (WAFs) to block malware designed to breach security at the application level.
Data loss prevention (DLP) to ensure users are blocked from transmitting sensitive information.
CASBs typically work by ensuring that network traffic between on-premise devices and the cloud provider complies with the organisation’s security policies. The value of CASBs stems from their ability to give insight into cloud application use across cloud platforms and to identity any unsanctioned use. This last element is especially important in regulated industries, such as banking.
CASBs use auto-discovery to identify cloud applications in use and locate high-risk applications, high-risk users and other key risk factors. CASBs may enforce a number of different security access controls, including encryption and device profiling. They may also provide other services, such as credential mapping (allowing access to a remote system on behalf of a user that has already been authenticated) when single sign-on (using the same login credentials across multiple services) is not available.
CASBs may also include other security services, such as encrypting all traffic to and from the cloud service provider. CASBs are particularly useful for organisations with shadow IT operations, which allow for operating units to procure and manage their own cloud resources.
The data that CASBs collect can also be used for reasons other than security, such as monitoring cloud service usage for budgeting purposes.
Cloud access security suppliers include McAfee SkyHigh Networks and Netskope. Microsoft also includes CASB functionality in its base Azure security services, at no extra charge.
As CASB has evolved, suppliers have provided additional functionality for security tasks, such as:
Single sign-on (SSO) – allows each employee to enter their credentials once and access a number of applications.
Encryption – encrypts information from the moment it is created until it is stored in the cloud.
Compliance reporting tools – ensure that the company’s security systems comply with corporate policies and government regulations.
User behaviour analytics – identifies aberrant behaviour indicative of an attack or data breach.
“It’s an extra layer, but it’s a layer you can control,” says Tankard. “Even if you’re not controlling it, you’re not putting all your eggs in one basket. That’s the real value – just not giving one organisation everything.”
With the increasing benefits of cloud services, and the associated security risks, organisations need to reassess not only their security policies, but also that of their service provider, to ensure they have performed due diligence and have taken all reasonable steps to protect their data and that of their clients.
