You are here

Data security and the cloud: 3 things your team needs to know

public://pictures/carole.jpeg
public://pictures/reiner_kappenberger0.jpg
By Carole Murphy, Evangelist, Voltage SecureData and Reiner Kappenberger, Director of Global Product Management, Voltage Data Security, Micro Focus

Increasingly, companies are moving their data and processing to cloud services. It’s easy for this out-of-sight data to be out of mind when it comes to security, but if anything, it should be top of mind because it's even more exposed than is on-premises data. With regulators issuing record fines for privacy violations, developers need to make sure they secure their data in the cloud.

Fines for privacy violations will only increase in 2020. In 2019, after one year of General Data Protection Regulation (GDPR) enforcement in the European Union, there were over 59,000 personal data breach notifications across Europe, along with 91 reported fines. France’s National Data Protection Commission fined Google $57 million for improper processing of personal data for advertising purposes. With more violations occurring with respect to data stored in the cloud, data owners, developers, and CISOs need to focus on cloud data security.

In July, the Information Commissioner’s Office of the United Kingdom announced that a large European airline would be fined 1.5% of its 2017 revenue, or $230 million, for allowing attackers to modify its website, scraping personal and financial details using a malicious JavaScript component.

“While we can never know how much reach the attackers had on the airline’s servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets,” stated a RiskQ analysis of the issue.

Such data breach fines are only increasing. The EU’s GDPR allows fines of up to 4% of revenue per violation. California Consumer Privacy Act (CCPA) fines companies that fail to protect their users’ data can be fined up to $2,500 per violation—and $7,500 per willful violation—per individual whose data was breached. And fines under the Payment Card Industry Data Security Standard (PCI DSS) will likely rise as well.

Traditionally, having data stored locally meant attackers had to compromise the corporate network before gaining access. While the past reminds us that this has occurred all too often, at least that network was under local control and monitoring. Services on demand allow attackers to access sensitive data if they can bypass cloud access security—which is typically under the control of the cloud provider, and opaque to the enterprise.

The upside of the cloud is flexibility. The downside is that data security must be part of the equation from the start. Here are three recommendations for security and development teams.

[ Get up to speed on new privacy laws with this Webcast: California’s own GDPR? It’s not alone. Plus: Go deeper with TechBeacon's guide to GDPR and CCPA. ]

1. Know your responsibilities in the cloud

Using cloud services does not mean that the cloud provider will take responsibility for your data; you share responsibility with the provider. Under this shared responsibility model, cloud providers ensure that the hardware and software services they offer are secure, and you're responsible for the security of your data assets.

Fulfilling your responsibilities can be more difficult with cloud services. While cloud providers offer better security, they also provide clients with less insight into the security of their systems, so you often lose visibility when you hand over infrastructure operations.

Security and DevOps teams need to know exactly what their responsibilities are when developing and hosting applications built on top of cloud infrastructure.

2. Understand your data and security

Not only developers, but also data owners and security functions need to understand the types of data they are collecting and the requirements for its storage.

One example of this is collecting data from users in nations that require the data to be stored in the same locale. All Russian users’ data must stay in that country; health data on Australian citizens must be stored in data centers in Australia; China, Germany, Turkey, Belgium, Brazil, and South Korea have also enacted “must stay” regulations for data. Such regulations do not preclude companies from using cloud infrastructure, but IT leaders and developers must understand these requirements and be careful where they spin up their cloud servers.

Another example is creation of the secrets used to protect the data—from API keys to encryption keys to passwords for cloud resources. These keys should be managed in-house or on different cloud services, and not by the same cloud provider used to host the infrastructure and data.

[ Get on top of access with TechBeacon's guide to identity governance. Plus: Learn how to secure and manage cloud-based Linux resources with Active Directory in this Webinar. ]

3. Apply data-centric security on each field

The cloud provider has some level of access to your data. This presents different security problems than you'd see with local infrastructure. With on-premises servers and software, your main worries are availability and insider threats. With cloud infrastructure providers, the provider or by a third party might access the data—with little opportunity for you to detect it.

Applying per-field format-preserving data protection can dramatically limit the impact of insider threats, whether from employees or rogue cloud administrators. Format-preserving encryption and tokenization protect the information while, in many cases, still allowing normal functionality—such as searches—to occur without ever requiring clear text.

Cloud data safety is doable

As enterprises move to the cloud, security risks to sensitive and regulated data increase. However, cloud security issues are often not well understood by developers. By understanding their responsibilities, knowing what data is being collected, and applying security to the data—not just the system—you'll be assured that your data in the cloud is as safe as on premises, and that it will flow safely throughout your hybrid IT environments.

[ Explore TechBeacon's guide to SecOps challenges and opportunities. Plus: Download the 2019 State of Security Operations report. ]