Security Think Tank: Use governance strategy to manage cloud backups

What can IT teams do to ensure users are not synchronising sensitive corporate data to insecure cloud services?

Organisations are under constant pressure to innovate, while simultaneously driving down business costs. The benefits of using cloud services for data storage or outsourcing of applications are clear. However, without due care, this practice can increase the financial risks to the organisation through potential data breaches or loss of intellectual property.

Data stored in the cloud is not intrinsically insecure. Any storage repository, whether on-premise or hosted, will be insecure if there are inadequate access controls and data protection.

The intensity of the innovation and development of cloud-based services in the enterprise file synchronisation and sharing (Efss) market is truly remarkable. It is also remarkable how quickly employees are adopting and using these services, with or without an organisation's approval. 

The implications of unapproved use of Efss – so-called shadow IT – are challenging the ability of security teams to protect the enterprise.

The market is growing rapidly, with hundreds of services already available. Many of these services have emerged only in the past 18 months, and some of the most commonly-used services include Dropbox, Google Drive, Microsoft OneDrive, Box, Evernote and Egnyte. Employees can immediately put an organisation in breach of regulations simply by placing unprotected data in these clouds.

Various cloud service providers (CSPs) and security suppliers have been developing security products that can protect data using encryption or tokenisation technologies. There is a myriad array of options, including on-premise gateways, endpoint file-sharing protection tools, cloud-based infrastructure as a service, CSP or native cloud-based schemes, and cloud-based key management-as-a-service offerings.

Organisations need to assess the risks of trusting a third party to control the cryptography process or key management in the cloud. While security is improved when compared with having no protection, trusting third parties may not meet data residency compliance requirements.

The compliance issues surrounding data residency mean organisations must understand the regulations affecting data from its originating jurisdiction, as well as national access laws affecting its storage, geographically. In addition, the organisation must also understand and place controls on all employees accessing sensitive data.

Information security leaders must follow several steps:

  1. Develop a data security governance strategy that classifies sensitive data, identifies compliance requirements, as well as risks and threats, and specifies the required security controls.
  2. Use shadow IT discovery tools to identify all clouds in use in the organisation and establish a whitelisting and blacklisting strategy.
  3. Use data discovery tools that can automatically apply an organisation-wide data security policy.
  4. Look for tools that automatically provide access controls and activity monitoring to detect anomalous behaviour.
  5. Use data protection tools that meet compliance and security targets through cryptographic key management.

Brian Lowans is a principal research analyst at Gartner

Read more on Cloud security