Sorry, you need to enable JavaScript to visit this website.

15 January 2018

The number one inhibitor to cloud adoptions is security.

Security remains the number one inhibitor to the adoption of cloud services, and any examination of public cloud resources will find evidence that organizations are struggling to extend visibility and control in public cloud environments. As critical data is increasingly being moved into public cloud computing environments organizations are struggling to maintain basic cybersecurity best practices. The struggle to extend visibility and control in public cloud environments has been documented in a variety of studies in recent years.

For example, research shows that many cloud-hosted databases are at increased risk because they accept inbound connection requests from the internet. In addition, organizations often improperly configure cloud storage services, exposing one or more to the public and creating increased risk of data loss. This problem, a common finding in risk assessments, is a significant driver behind some high-profile data breaches. Other key findings are:

  • Absent data encryption
  • Poor access controls
  • Unprotected management resources

Though technology in everyday use has been standard for more than a generation, in many ways the value of the data in use is obvious but not always considered on its own. Simply put, data as information drives the productivity of an organization, and the evidence for this becomes clearest when technology and corresponding data are absent.

In 2017, hardly a week passed without news of a new data breach and, more interestingly, the news was no longer just about the size of the breach, but of the quality of data accessed and whether that data was stolen or deleted. Consider the September 2017 announcement of the Equifax breach. At 143 million records, it is significantly smaller than the 500 million records lost by Yahoo in 2014. However, the quality of the data is so much richer than in previous hacks and will be significantly more impactful than previous breaches.

The volume of enterprise data creation and acquisition typically increases at a compound annual growth rate of 40-50% and this growth is exacerbated by the current proliferation of digital business transformation strategies. While the effective use of this data delivers improved operational efficiencies and organizational performance, IT teams must consider the impact of rising data volumes and new usage patterns upon their risk mitigation strategies and communicate this risk to their business stakeholders.

So, understanding this, organizations need to reconsider how to secure this data that is being created outside of the traditional secure environment; how to securely capture, manage and share this data; and how to securely collaborate around data with trusted partners. More specifically, there are clear reasons for demanding data security from both your internal and external custodians and providers of data:

  • Productivity: Day in and day out, employees are using their computers to create plans, manage operations, interact with partners and customers, and enhance the productivity of the organization. The risk associated with ransomware, a newer attack technique that encrypts data and holds the decryption keys for a ransom, makes the value of operational data for productivity obvious.
  • Competitive advantage:  Pharmaceutical companies are constantly seeking new insights into long-term challenges of creating drugs. The black market for digital products like software, music, and video siphons away large amounts of revenue from the owners - the data associated with these activities must remain confidential for extended periods.
  • Regulatory compliance: Data knows no boundaries, but regulators have stepped in to address data security and privacy in a variety of ways.  The EU General Data Protection Regulation (GDPR), which will take effect in May 2018, requires organizations to gain an understanding of the location, ownership, and security of data collected on EU citizens. This new data privacy regulation is important for some Asia Pacific enterprises as the GDPR regulations apply to how such data is collected and kept, no matter where the servers that hold the data are located. The determining factor is the company’s intention to target EU citizens. Failure to follow the GDPR can lead to heavy fines. For this reason alone, the impact of these regulations and fines may be felt more quickly than other new laws around personal data.

With almost all Asia Pacific enterprises now using cloud IT and business services in some form, customers of regional cloud service providers (Cloud SPs) face increased responsibilities, as even Cloud SPs not based in the EU may be caught by the GDPR.

What steps can be taken to improve the security of your data?

Data has never been perceived as having a value as high as it does today, and it looks as if this value is only going to grow over time. Recent headlines such as those from Forbes and The Economist linking data to oil completely miss one crucial difference — data is not in short supply nor is it likely to become so soon. However, the analogy around the value of data must not be ignored.

So, understanding this, organizations need to reconsider how to secure this data that is being created outside of the traditional secure environment; how to securely capture, manage and share this data; and how to securely collaborate around data with trusted partners.

Clearly the security solutions we have in place today are not sufficient to protect the data stored within multi-cloud systems, hence the plethora of high-profile data breaches in the news. Information security professionals need to make a thorough assessment of their environments and conduct a threat modeling exercise that can address data security challenges, with a firm understanding of the data assets that are being protected and the risks that technology and governance policies are attempting to reduce.

To that end, IDC recommends the following steps be taken to assess the security of all corporate data whether managed by the enterprise IT team or by external managed service providers:

Short-term:

  • Encrypt all organization network communications that traverse untrusted, public environments. This is often an option on public cloud services and has not been originally selected.
  • Ensure that backup solutions are backing up data at an acceptable interval such that any information made inaccessible — for example, because of ransomware — can be restored.
  • Ensure that data classification and protection is integrated into the risk assessment process.
  • Conduct a data discovery exercise to crawl the data stores throughout the IT environment, seeking all records and files that contain sensitive information.
  • Determine the location and affiliation of sensitive data with users and applications. Identify acceptable use cases based on this information.

Medium-term:

  • Deploy sensors at key locations where the IT environment zones change from trusted to untrusted to monitor data being transmitted outside of IT control boundaries. Sensors should be deployed at email and internet gateways, at a minimum.
  • Monitor the egress points looking for "leaking" data. Based on this data, reevaluate the use cases to identify legitimate use that should be incorporated into the acceptable set of use cases.
  • Identify one-time or custom use cases where data being transmitted over untrusted networks can be detected and encrypted so that the legitimate action can continue with stronger security.
  • Build out a robust key management infrastructure with broad platform support to provide encryption at the application level, for data in the cloud, and other mobile data that will legitimately exist outside of the traditional IT environment.
  • Introduce decoy data for "chaff" into the environment that can act to obfuscate legitimate data and act as a forewarning, if tracked appropriately, for a data loss event.
  • Work to integrate specific policy-based encryption capabilities to data wherever it resides and wherever it travels. These controls will "follow the data" wherever it goes.

We need to find a simplified yet efficient way to securely manage data. This data will be both on- and off-premise, mobile and static, in the cloud and on a mobile or IoT device. We also need to be aware that data security is not a silo; the value of data is only realized after it is — to use the oil analogy — refined using analytics to better understand the patterns that deliver value to the business. As a result, it is not simply about statically securing data, but also about being able to secure it in a more fluid manner, one that still permits usability both at rest and in flight.

 

Let our Cloud Experts help you design and deliver
cloud services that best fit your needs.