Data Security Principles When Moving to the Cloud

Author: Craig Pollack Date: Feb 18, 2021 Topics: Cloud, Cybersecurity

An all too often over-simplified aspect of moving to the cloud is that your data is all of a sudden secure. As such, cyber security is no longer your responsibility and now you don't have to worry about it. Unfortunately, nothing could be further from the truth. In addition, while many businesses have legacy data security technologies already in place for their on-premise environments, these security mechanisms don't really address securing the modern cloud hosted architecture. So, what does this all mean?

As we all know, in the wake of the Covid-19 pandemic digital transformation has become essential for organizations forced to adapt to new working conditions. Many organizations had already started their digital transformation journey at the beginning of last year, but the epidemic certainly accelerated things. In fact, research has shown 8 out of ten Fortune 1000 businesses fast-tracked their journey to digital transformation, compressing the process which would normally take years, into just a few months. Chief among these services is cloud technology which has become indispensable to the modern enterprise.

Indeed, it is estimated that worldwide end-user spending on public cloud services is forecasted to grow 18.4 percent in 2021 to a total of $304.9 billion, up from $257.5 billion in 2020, according to Gartner, Inc.

Still, whether your organization is using private cloud services, public services, or a hybrid approach, the importance of protecting the data that resides within cloud infrastructures is essential. While cloud service providers do have some security parameters built-in, numerous security failure points still exist. Hence, there are still risks involved when moving to the cloud that you should understand to reduce your potential exposure.

The Cloud Still Has Some Level of Risk

Whenever you adopt new technology, you must also account for new risks. Migrating to the cloud is certainly no exception. With online connectivity required to access cloud services, a chance always exists that cybercriminals will target this environment, particularly if it contains highly sensitive information. Highly sensitive equals highly valuable to cybercriminals. It also means increased risk for you.

Security is therefore required to mitigate against the risk of data loss, through inadvertent exposures, security misconfigurations, and even the possibility of cyberattacks attacking through common methods such as malware infections. Securing data also addresses compliance requirements for the many data protection regulations that have emerged such as GDPR, CCPA, and HIPAA

Know Who is Responsible

Know that the enterprise itself is ultimately responsible for its own data security when it deploys information in the cloud. Let’s be clear: you are the data caretaker, guardian and protector of your data. If your organization and cloud provider is following a shared responsibility model, then you must work together to configure the security controls to the enterprise's specifications and requirements. Typically, these responsibilities are addressed within the cloud provider’s service-level agreements (but who really reads these?). However, as the data owner, you must invest a lot of trust in the cloud provider that the systems are being adequately protected. If you overlook security, then you may encounter severe problems as data privacy and security regulations and even some industry standards require you to always secure your customers' personal and sensitive data.

IMPLEMENT THE RIGHT TOOLS AND THE RIGHT PEOPLE

Modern cloud infrastructures require enhanced capabilities to meet the high demands of data protection to battle against the vast array of threats. Therefore, a new approach to security is required, one that provides visibility into the location of enterprise data and also protects that data throughout the entirety of its lifecycle, from data creation through to its ultimate destruction. The ideal strategy would be data-centric security, which travels with the data even if that data moves outside a protected perimeter and only de-protects it when absolutely necessary within a highly controlled environment.

Additionally, business leaders must acknowledge that a data security expert may not necessarily be a cloud expert. Cloud environments are often complex and require a deeper understanding of the technology, processes, and systems that make up these architectures.

ENSURE DATA IS STILL USABLE

Data is the most valuable asset for any organization. It's critical to make business decisions, plan forward strategies, and gain valuable insights on customer behavior. Too often management views this information as such strategically; but at the same time, all too often neglects to make the effort to secure it equally.

Keep in mind, the key benefits of that information is based on the value after performing the necessary analytics on it. This presents a hurdle for most businesses as traditional data security solutions do not offer the capabilities to conduct analytics without de-protecting the sensitive information first (think exporting your Salesforce data onto your local network and then slicing and dicing it; now your data is outside the protected cloud bubble).

SECURe the edges

While your data may be stored in the cloud, remember that while you're accessing it - it's technically passing between their hosted servers and your physical location (whether this is a workstation at  your office, a work from home machine, your phone, or tablet). This means there are multiple failure points along this chain of delivery, thus multiple security risks. At a minimum, start by securing this chain.

TACKLE DATA SECURITY FROM THE BEGINNING

By taking complete control of data security from the outset, your organization can dictate where, and how, sensitive information is protected, which will lower compliance costs and significantly reduce the risk of data breaches. Those within the security industry have regularly touted the need for a proactive stance when addressing such threats, and this certainly applies when migrating to cloud environments. Cloud technology has many benefits and will continue to develop into an integral business enabler, but where powerful technology is you will also find risk. If you do not address data security from the beginning, more (and more damaging) cloud exposures can and probably will occur given enough time.

Migrating to the cloud should not be a rushed process and time should be taken to address all key data security obligations. With a clear plan, and with data-centric security at the heart of the overall security strategy, organizations can obtain the true benefits the cloud has to offer while ensuring the security of your information.

What do you think? Have you read the T&C's within your cloud hosted agreements? Who's responsible for the security of your data? And what are you doing about it? Let us know your thoughts or experiences in the Comment box below or shoot me an email if you’d like to chat about this in more detail.

CFO'S GUIDE TO CYBERSECURITY

Subscribe here to get our "2 Minute Tuesday" email for valuable tips & tricks!

Author

Craig Pollack

Craig Pollack

Craig is the Founder & CEO of FPA Technology Services, Inc. Craig provides the strategy and direction for FPA, ensuring its clients, business owners, and key decision makers leverage technology as efficiently and effectively as possible. With over 30 years of experience building the preeminent IT Service Provider in the Southern California area, Craig is one of the area’s leading authorities on how small to mid-sized businesses can best leverage and secure their technology to achieve their business objectives.

Comments