The decision to use a third-party vendor or not depends on several factors. Regardless, cloud data security is a crucial part of business planning.
For businesses, the use of cloud data storage, at least for backup, has become almost inevitable. Many companies might not even be aware that their data backup or file-sharing service is based on the cloud. And that really is one of the key issues here: awareness and understanding are essential to data security.
While the cloud can provide computing resources and hosting, as well as data storage, this discussion will focus on the issues of data security.
Cloud Data Breaches are a Problem
Over the course of the past year, there have been a great number of cloud data breaches. Many involve Amazon’s Simple Storage Service (S3), including six million Verizon records, two to four million Dow Jones customer records, and 60,000 sensitive military files at a defense contractor which have been leaked through misconfigured server settings. Other exposures involved World Wrestling Entertainment and the Republican National Committee. In these two cases, the data was left exposed but, as far as anyone known, was detected before there was an actual theft of data by an outsider.
This isn’t to pick on Amazon. It’s just that AWS S3 is incredibly popular and so widely used that it is inevitable that it would be a frequent target. There is no indication that it is inherently less secure than its competitors.
RedLock, a cloud infrastructure security company, recently issued a Cloud Infrastructure Security Trends report estimating that 40 percent of organizations using cloud storage services had publicly exposed some of their cloud storage without realizing what they were doing.
Who's Responsible for Security?
The large cloud services providers ensure the security of their physical facilities and server hardware. They also offer customers a wide range of security services and tools for customers to secure their own data. Customers, however, have to understand how to use these services, implement them correctly, and keep them updated.
Depending on the provider and the level of service, applications may or may not be protected. This means data may or may not be guaranteed to be transmitted and stored securely.
While many companies do choose to handle this security on their own, or pay the cloud provider to handle it, an experienced third- party cloud security vendor willing to work with your organization can be a cost-effective choice.
The Consequences of a Breach
Whether it is the large cloud provider or a specific security vendor, data protection is provided by a third party. But the legal and regulatory compliance obligation to protect any Personally Identifiable Information (PII) obtained from its customers will remain the responsibility of the business itself.
This is important to keep in mind since the consequences of unauthorized release of sensitive data are increasingly severe, both in terms of regulatory sanctions and lawsuits. The advent of the EU in 2018 will substantially increase penalties. The advent of the EU General Data Protection Regular (GDPR) in 2018 will substantially increase penalties.
The Process of Security
Security is not a simple matter of purchasing something or hiring someone. It is a process that needs to be constantly reevaluated and updated. Security procedures need to evaluate employee errors and noncompliance, access control must remain up to date, recovery and communication plans for when a breach does occur have to be kept current. These are all responsibilities of the cloud data storage user.
All of these must be clearly laid out in written guidelines to inform employees who can use cloud services, how to use them, and which data can be stored in the cloud. The guidelines should also be specific to the security technologies to be used for data protection.
Encryption is key among these technologies. Not only should all data in cloud storage be encrypted, but it should also be encrypted during transit because that is when it is most vulnerable. While GDPR fines could go as high as four percent of the total turnover of a company for a negligent breach, violation of encrypted data would have significantly lower penalties.
Cloud Security Vendors
Cloud security vendors of various types can act as both advisors and managers of cloud security. The market is competitive, with most of the vendors based in either the US or in Israel, and range in size from startup to large incumbent. Each customer should assess its particular needs and required level of support. But, cloud data security is now a crucial part of business planning.