Security Think Tank: Three-pronged approach to cloud security

What can IT teams do to ensure users are not synchronising sensitive corporate data to insecure cloud services?

Data is currency in today’s world. Security teams are now tasked with protecting the brand and intellectual property through the protection of the second-most important asset of a company: data (the first one being people). 

Thus, cloud represents one of the biggest challenges of the era – it is a technology that makes it easy to move data around and even contract a service without the knowing of the IT, security or compliance department.

Going through a service from a provider without the approval of the risk department or consent of the security manager might mean a change in the risk appetite of a company.

Different approaches can be taken to solve this. One of them is through awareness and training. Letting users know about the implications of misbehaving with sensitive corporate data is critical. It is no surprise then that people and human behaviour need to be taken into account for effective IT governance.

People's skills, abilities, morale, capabilities and even ethics are factors to consider in the risk equation. 

Another dimension is technology – there are ways to make sure even using public cloud services, data leaves the enterprise encrypted, with the right security measures.

Security teams can use the unique position of a next-generation firewall on the gateway of the enterprise to understand what kind of data is leaving the perimeter and, if it does not have the right security attributes or is going to an unfriendly destination, can enforce encryption and make sure that data is protected. 

There are also mechanisms for unencrypting data if someone is from the same company or a key stakeholder needs to access that data.

Finally, guidelines, procedures and processes are very important since they will connect the two other dimensions. Through them, people will understand what is acceptable and what is not. 

The right policies will educate users on which technology is safe to use, which is not safe to use, and the appropriate behaviour for maximum data security.

Security teams can now use the triad of people-process-technology to make sure cloud services are used in the right way, maximising the benefits of technology and the ease of use of a universe of services available for the enterprise, without losing perspective of the most important things: protecting the brand, defending people and saving intellectual property.

Ramsés Gallego is international vice-president for Isaca

Read more on Cloud security