Security Fridays Week 3 – Data protection is still your responsibility, even if it is held in an established datacentre
There is a common misconception that migrating to the cloud removes an organisation’s security problems. There seems to be a belief that cloud environments are just inherently far more secure that on premise and that any data placed in the cloud is covered by some magical security blanket that the cloud services offer.
While there is a little truth to that theory, the truth is a lot more complex. Let’s start with the good news. The cloud environments are massive, well-funded datacentres that invest in some very impressive equipment. The firewalls, DDOS protection and networking equipment they offer is generally top of the line and as such the chances of someone penetrating the environment is almost nil, they really do invest there.
However when it comes to your actual data? That’s very much your problem. Read the contracts and you’ll find while they offer security tools, the usage of them and the settings you use are down to you and they offer no guarantee as to your usage of those tools as they can’t guarantee how you have configured them.
The simple truth is, the cloud isn’t a magical new type of environment, it’s just… someone else’s data centre. It’s a big, fancy, well-funded one, but that’s all it is. You should use exactly the same protections and policies that you would for your data anywhere else as it’s just as much at risk there.
In some cases, it is in fact even more at risk, as misconfigurations in their technologies and firewalls aren’t under your control at all, and there have been incidents of data loss and lack of availability, in a large scale due to these huge environments, meaning one small error can effect a great many organisations.
1 – Apply exactly the same stringent policies and controls to your data in the cloud as you would on premise, it’s still your data, you’re responsible for it and if it’s breached you’re left holding the responsibility for it. The cloud environments do not cover that under your contracts.
2 – Data Discovery is essential, the cloud is a huge bucket and you have no idea what your users are putting up there half the time, so using data discovery tools to check what’s present is a must have. Then you can tune your retention policies to ensure that you don’t allow stale or toxic data to stay in the cloud.
3 – Audit everything. Make sure you have strong auditing of everything that goes on in the cloud, every event, every data touch and do some analytics. You should know of a problem before anyone even reports it to you and that can only be achieved with strong auditing.
Read the article that was analysed here: www.infosecurity-magazine.com/news/cloud-data-leak-thousands/
Category: Industry News