If recent data breaches have taught us anything, it’s that you can never be too cautious when it comes to adopting the right cybersecurity strategies for your business. For example, high profile Amazon Web Services (AWS) customers, World Wrestling Entertainment (WWE) and Verizon exposed the personal information of millions of customers by accidentally misconfiguring their Amazon S3 cloud repositories. Despite providers like AWS providing ample information about the best practices for cloud security, the volume of AWS-related data leaks continues to grow. The unfortunate truth is that data breaches are here to stay and could come from any point across a distributed organisation.
Adding to the complexity is the growth of cloud technology and ensuring that the appropriate cloud security is in place without compromising user experience. With cloud IP traffic set to rise threefold in the next five years, it is vital that businesses have the provisioning in place to protect the huge volume of data flowing through their network.
However, for companies that haven’t yet moved to the cloud, there are questions, challenges and a great deal of uncertainty. Specifically, it’s often an issue of control that holds them back; as moving to cloud provision, and provision via a third party, can feel like losing control.
Needless to say, the stakes have been increased by the GDPR, as you’re now required to have an understanding of where your data is, perform service requests such as the right to erasure, conduct timely breach notifications, manage cross-border data transfers and provide evidence that steps have been made to secure personal data. As a result, an added level of trust for those companies outsourcing the storage and processing of sensitive data they hold on individuals is required. To put it simply, if a serious breach occurs at your third-party data processor, for instance, businesses must trust that they will be informed promptly and that the third party will work with them to fix the problem and protect their customers.
With cloud now the norm, transparency is crucial and the onus is on businesses to ask the tough questions and ensure they have the solutions in place to protect their employees, customers and their brand.
Moving to the cloud
While the adoption of cloud services has increased over the past few years, many organisations are still unwilling to make the move to the cloud due to security and compliance concerns.
There can be an issue of knowing where your important data lives (this is key if you plan on transferring it elsewhere). In their current on-premise model, companies might not know exactly where data is and how it should be classified. What is the information handling procedure for any given document, image, or program code repository? Which database holds your current customer dataset?
Then, once you’ve located and gathered all the data to be transferred, you need to consider how to move all of it securely – and be clear on whose responsibility it is to ensure the cloud storage destination is already secure.
Where the responsibility lies
Cloud service providers have a definitive role to play here.
Of course, they’re there to provide data inventory tools and services to help fingerprint and hunt for data in customers’ networks, and to encrypt data for secure transfer (you haven’t gone to all the hard work of locating your data only to send it over the internet without encrypting it) – but there’s important work to be done before this too.
Cloud service providers have a responsibility to be transparent with their customers. When a business is going through a procurement process and requesting information to help them figure out which provider to choose, the obligation is with the cloud provider, to be honest about what they can and can’t do. The stakes are simply too high to behave in any other way.
This is where the trust relationship begins: the first job of a security specialist is to help potential customers make informed decisions about how to keep their data safe (and within the bounds of GDPR).
At Forcepoint, we’ve set up a cloud trust programme within our business which secures data and reinforces customer confidence in cloud security. It is aimed at ensuring our company is being assessed for all of the most valuable certificates and accreditations available from industry bodies. In addition, it allows our customers to check that we have earned those certificates. We consider this programme essential to our customers, to ensure they meet the requirements of the GDPR regulations.
Cloud Security for your Future
For most companies, the cloud can and does have real business benefits – increasing efficiency, scalability and driving growth across markets. While GDPR is a response to the increasing prevalence and significance of sensitive data to the functioning of our businesses, security and trust remain the most important aspect of all. The cyber threat is continuous and constantly evolving and as a result, organisations must stay ahead of potential attacks, while also remaining compliant with GDPR and other security regulations. So, it is imperative that IT managers get their cloud security in order, as failing to do so could result in devastating consequences in the not-so-distant future.
Carl Leonard is the Principal Security Analyst at Forcepoint.