Security Think Tank: Base cloud security posture on your data footprint

In the cloud, enterprises cannot abdicate their responsibility to third-party providers. Instead, they need to assure that they work with their cloud providers and that they understand fully how the division of responsibility is configured – and especially as it pertains to personal data that might be covered by the General Data Protection Regulation (GDPR) and other regulatory policies.

It is clear that cloud can introduce new risk to enterprises. In fact, cloud was identified as the top technology that increases risk in a new survey on enterprise risk from Isaca, the CMMI Institute and Infosecurity.

However, cloud security solutions have become essential for many enterprises in today’s technology environment, so it is important for enterprises to configure those partnerships carefully and in ways that best support the specific organisation’s data footprint.

This depends largely on the organisation’s size and the type of data that it collects. Large companies are often astute at managing third-party contracts, but frequently, smaller companies mistakenly believe that simply using a cloud provider or software-as-a-service (SaaS) application means they are covered, and that might not be the case – the company still bears ultimate responsibility for owning and processing its data.

That said, third-party providers can help greatly and, in many cases for small businesses using cloud, the security is improved because the company does not otherwise have the resources to devote to security measures that can be found through cloud providers. In many respects, cloud providers are getting better than ever at providing security, but then again, given heightened regulation and scrutiny from both governments and the public, the standard for providing a sufficient level of security also is on the rise.

Another important consideration is that, in many cases, enterprises will want to encrypt the data stored in the cloud and then carefully manage those keys. They should be sure to have an appropriate key vault where keys are stored and never have them hard-coded into the software. Many cloud providers and third-party suppliers provide key vaults.

Again, the enterprise’s size often will come into play in determining the best path for key management. Small businesses are more likely to elect to have the cloud provider manage the key because the cloud provider is likely to have more advanced expertise.

However, if key management is something an organisation is already confident in, as may be the case for many larger organisations, managing their own keys is likely to be the most comfortable and logical choice. If there is any doubt about the best path forward, letting a trusted third-party manage the key is probably the way to go.

One note of caution: if enterprises encrypt their data, they had better be able to access that key. If you lose the key, you lose your data, and that outcome might well be worse than suffering a breach. Naturally, you never want the solution to incur more risk than the problem it aims to solve. Unfortunately, losing a key is not as rare as some might think.

Individual users might deploy encryption and then forget their encryption password to unlock the key, and then the data is gone unless they have an unencrypted backup available. This scenario also can play out in instances when there is employee turnover in the security or IT department and no one left has the credentials to access the keys.

The nature of the data involved is another highly relevant factor. The more sensitive the data, the more reluctant organisations might be to outsource the security around that data, but at a minimum they should consider bringing in some outside expertise to make sure the keys are being well managed.

For smaller companies, even if the data is highly sensitive, outsourcing key management to a cloud provider will probably be necessary to reduce the risk of losing keys.

Lastly, consider how the data is being protected and used, and be mindful of providing assurance over the full lifecycle of that data. Industry bodies such as Isaca and the Cloud Security Alliance provide helpful resources for organisations along those lines.

While cloud security can pose tricky scenarios to organisations, many of the answers come back to having sound risk management policies and procedures. Perhaps the biggest recipe for success is organisations having a realistic understanding of their own security capabilities, how their resources are best deployed, and a reliable inventory of the nature of the data that they collect and maintain.

In many cases, engaging in agreements with cloud providers is an essential step, but it is critical that enterprises understand the division of responsibilities with the cloud provider and have an action plan in place for how to work together with the provider if an incident arises.