5 Common Challenges Faced When Securing the Cloud
The cloud is one of humanity’s most impressive and consequential inventions yet. The implications for convenience, efficiency, accuracy and data mobility in business are enormous, which is probably why cloud adoption climbed to 96 percent in the business sector in 2018.
Taking the proper governance and security precautions is essential with that level of connectivity, however. The following are some of the most common challenges and problems associated with storing any kind of sensitive data in the cloud, and some thoughts on overcoming them.
1. Lack (Or Inconsistent Use) of Data Encryption
The cost of a single data breach can be high enough — $200,000 on average — to put some small companies out of business.
AES is one of the most ubiquitous voluntary security standards in use today. The National Institute of Standards and Technology, which developed the AES standard, says it adds $250 billion in economic benefit, collectively, for those who take part.
It’s not possible for a company to claim it’s 100 percent protected from a data breach. That’s not to say every cloud approach is equally safe, however. For additional peace of mind, no matter what your company’s cloud vendor claims about their security robustness, encrypt your data before sending it into the cloud.
Using AES to encrypt sensitive company information means that mission-critical data can’t be used by outside parties after a breach. Company endpoints like workstations and personal smartphones are a notorious weak link when it comes to data breaches but taking added measures like data encryption before the cloud layer is a good way to stay protected.
2. Higher Likelihood of Privacy Regulation Noncompliance
Companies are building more and more cloud-first services for data ubiquity and mobility. Sectors like health care have HIPAA (Health Insurance Portability and Accountability Act 1996) and other guidelines, which are constantly evolving as technology changes. For ecommerce and other predominantly online-focused businesses, there’s more uncertainty and inconsistency when it comes to regulatory compliance for data handling.
The EU implemented GDPR (General Data Protection Regulation) in May 2018. Since then, it’s helped inform similar measures by other governments, including California. One thing the GDPR helped prove was how ill-prepared even large corporations are when it comes to safeguarding basic customer privacy. The $183 million fine brought against British Airways ($228 million) is likely the first of many such fines if GDPR and the California Consumer Privacy Act continue to inspire changes at multiple levels of government.
Companies are advised to educate themselves on the most stringent digital privacy and security laws out there and begin tailoring their approach and digital properties and products accordingly. Customers across the world will increasingly expect, and be entitled to, the “right to be forgotten,” the right to see the personal data collected on them at any time, and the right to opt-out of data collection procedures.
3. Building a Security-First Culture, Including Good Password Hygiene
Disney’s new streaming service made the wrong kind of news in its first couple of days. According to reports, thousands of users’ credentials had already been compromised and listed for sale online just hours after Disney+ went live.
The consensus seems to be that weak passwords and those reused by customers across several online services, are to blame for the early security failures of Disney+. This is a solid reminder that, even today, many people and organisations don’t take even basic security precautions seriously.
Using the cloud for business purposes is only as secure as the weakest link in your protocols. Right now, that includes passwords and the people who create and distribute them. There are plenty of more “advanced” security safeguards to maintain, which is why password hygiene is so frequently overlooked.
Company IT departments should publish clear guidelines on interacting with private or public cloud services. User credentials should also be siloed by department and function, so that only authorized users can access each part of the company’s digital property.
4. Undetected and Unreported Security Incidents
Not all types of cloud security incidents arrive with big flashing lights pointing to the culprit. Insider errors and oversights cause 20 percent of data breaches in the health care sector, many of which go undetected for years at a time.
Modern technologies like ubiquitous computing introduced the possibility of theft or loss of data in storage or transit, and modern technologies like artificial intelligence provide solutions as well. Security automation, including automatic mitigation and notifications, is an increasingly important part of a company’s digital security portfolio.
AI (artificial intelligence) helps make this possible when employees can’t have their eyes everywhere at once or the company deals with especially sensitive data that may be accessed at several endpoints or by several parties. Unusual network traffic patterns are one example of the signs AI can pick up on better than humans and which might signal an impending attack.
5. Ensuring Business Continuity, Including Disaster Preparedness
Physical, on-premises security is one of the most frequently overlooked aspects of securing personal and company clouds. There is no guarantee that any cloud provider out there, much less a self-hosted cloud solution, offers liability in the event that an outage or a permanent service interruption renders your data unreachable. Theft, a provider going out of business and extreme weather can all impact your company’s future in an instant.
For this reason, it is essential to conduct regular physical backups of your company’s data. A company should have a process in place, and people whose job it is, to identify what data needs to be backed up, and when, and how to process new and existing backups on a recurring basis.
Server closets and other physical IT infrastructure can be an additional weak link. When Heathrow Airport got slapped with a £120,000 ($156,000) fine for exposing more than 1,000 private data files, it was because an employee left a USB data device unattended.
Clearly, there is no protocol too small or too apparently insignificant to be left out of a company’s data handling policies. And no matter the degree of dependency your company has on the cloud, it’s just not worth leaving security to chance.
Vertical Distinct offers the Certificate of Cloud Security Knowledge (CCSK) Plus certification, a three day Cloud Security Alliance (CSA) offering that introduces you to the world of cloud computing security and prepares you to take the CCSK exam. CIO.com listed CCSK as #1 on the list of Top Ten Cloud Computing certifications. Find out more about the CCSK programme, scheduled dates and cities where you can register.