The inauguration of Data Protection Day in 2007 signified the importance of securing sensitive information in a world where poor data security hygiene is impacting both enterprises and consumers. Fourteen years on, and the discussion around the use of data and data privacy is more pertinent than ever. For enterprises, the ability to collect and mine data has exploded as business processes are digitalised.
This digital transformation was accelerated further due to the pandemic, which forced many businesses to re-evaluate how employees could access data securely without compromising privacy from their new work-from-home offices. In fact, over half of UK business leaders admitted that shifting to the cloud saved their company from collapse during the height of the pandemic. This all sounds promising but the security risks associated with rushing into cloud services will not only impact the integrity of data but also potentially jeopardise compliance with data privacy and security regulations like GDPR.
The distraction of the pandemic has already presented a serious challenge for organisations trying to keep their systems secure. On top of this, they are also tasked with keeping up with privacy demands. Nevertheless, it is not a valid excuse for any business to overlook its data security and privacy commitments, especially as pandemic-related cyberattacks has grown. Cybercriminals have been persistent with their attempts to exploit cloud systems using common methods like phishing, which have been largely COVID-themed, malware and cryptomining. Additionally, hackers have been quick to compromise cloud services through unpatched vulnerabilities and cloud misconfigurations, which are both triggered by human error. If security hygiene continues to be neglected, then any hope for cloud and data security will be gone.
As we enter the next era of cloud computing, the safety and privacy of data has become vital. Organisations can no longer afford to overlook security and must be proactive when safeguarding the data within their cloud systems. If not, then businesses are gambling the troves of harvested sensitive customer data. To avoid this situation, security leaders must consider the following advice to secure cloud environments:
Avoiding cloud misconfigurations
Misconfigured cloud systems are low-hanging fruit for cybercriminals. It doesn’t take much skill to steal the data, especially if the cloud system has public access enabled. To reduce the threat of this occurring, enterprises must ensure configuration settings are observed following security best practices – CIS benchmark, continuously, using automated cloud security posture management (CSPM) solutions. This will greatly reduce the chances of a security misconfiguration – the #1 cause for cloud data breaches. Other basic security controls should also be implemented including installing firewalls, backing up and regularly testing systems, as well as educating the workforce on what security practices to follow when accessing these systems remotely.
Protecting your cloud workload with shared responsibility
Contrary to belief, the security of the cloud environment does not solely rest on the provider. If an application is vulnerable to SQL injection, moving it to the cloud will not protect it from the threat. The sharing equation is determined by the common operational scenarios: IaaS, PaaS or SaaS. For IaaS/PaaS environments, where the cloud provider secures the back-end data centres, networking, servers, and virtualisation; the enterprise needs to extend their workload protection best practices to the cloud workloads through continuous system hardening and vulnerability assessment. Known vulnerabilities are the first thing attackers will target, so it is crucial to keep your operating systems assessed in check at all times. For a SaaS scenario, security for the application and data is the responsibility of the service provider, while access security rests with the enterprise and its users through enforcing security policies between on-premises and the cloud services used.
Big data and multi-cloud considerations
Cloud is incredibly unique and requires its own specific knowledgebase and skillset to establish proper controls. In the case of hybrid or multicloud deployment, the security controls from your cloud service providers – Azure, AWS and Google Cloud Platform will differ. You do not want to use different tools with different scopes for different clouds. It is important to implement homogeneous controls and have visibility in a across all your cloud services to help security teams remove blind spots and reduce costs. Your cloud security management process should also be automated and continuous to keep up with the dynamic nature of cloud service. By obtaining a unified view of the cloud environments, organisations can effectively protect cloud applications and the sensitive data that resides within them without impacting IT operations and resources.
Data Protection Day is beneficial in reinforcing the need for better data security, however securing data is not a one-time event, and it must be a continuous and automated process. The digital adoption cycle shows no signs of stopping, with modern enterprises migrating to more cloud services due to its benefits. In essence, the cloud has become part of the new normal, but we must be sure cloud security is being normalised in the right way to ensure our critical data isn’t breached.
Sergio Loureiro is a Director of Product Management at Outpost24. Prior to this he was the former CEO and Co-Founder of SecludIT (which is now part of Outpost24), a pioneer in cloud security and a founding member of the Cloud Security Alliance since 2009. Sergio has worked in cyber security for more than 20 years. He has occupied senior management positions in 3 security startups where he was responsible for email security products and security gateways, as the lead architect of security products such as SSL VPNs, log management, web security and SSL crypto accelerators. His career started at research labs in France and Portugal. Sergio holds a Ph.D. in computer science from the ENST Paris and MSc and BSc degrees from the University of Porto. He is also the holder of 4 patents.