Six issues for cloud security that organizations need to address
For many organizations, concern about the security of cloud infrastructure is one of the main reasons why they are not so willing to implement cloud technologies. How justified is this concern?
Every day, IT departments are confronted with an ever-increasing number of threats , take care of adhering to numerous legislative norms, and ensure the protection of more and more data . And taking into account the fact that employees of companies often start using cloud technologies on their own initiative, the number of requests to IT departments will increase, as well as the number of projects that they have to support.
At the same time, there is no doubt that cloud technologies bring with them great advantages, for example, they will help your organization:
')
Of course, the cloud helps to cope with the growing volumes of data generated in the modern interconnected and highly competitive digital world. But what if YOUR private data is in a public cloud that you DO NOT CONTROL?
The good news is that you don’t have to give up new or ongoing cloud initiatives, all you need to do is make sure that your team has an action plan that will help eliminate concerns about the security of cloud infrastructures and respond to next questions:
To ensure regulatory compliance organizations need to centrally, comprehensively and effectively track any actions with regulated data - even if these data are placed in cloud environments. In particular, this requires an authentication management platform that allows your company to centrally establish policies and control their observance both within its own infrastructure and in relation to cloud applications and services.
In addition, organizations must have a centralized and efficient tool for managing encryption and encryption keys throughout the company. This allows you to optimize the processes of controlling access to your critical information, wherever it is, and also to simplify the process of the corresponding audit.
We recommend discussing this particular issue with your legal department. It is important to understand that in many countries and regions, their own specific regulatory requirements can be put in place that regulate where “sensitive” information can and cannot be placed. For example, before a federal government agency in the United States can transfer sensitive information to the cloud, it must ensure that the cloud service provider does not store or manage this data outside of the country.
Similarly, in a number of European countries, healthcare providers will not be able to use the services of a cloud service provider to store patient data unless all of the equipment of this provider is located exclusively in the territory of that particular country. In Russia, there is also a requirement to store confidential user information on servers hosted domestically.
Your organization should have a way to protect itself from threats emanating from within companies, and minimize the risks associated with the malicious intent of administrators. It is your responsibility to make sure that even when working with multi-user public cloud environments, your team has sufficient tools and rights to protect sensitive data in order to prevent abuse by the administrators of cloud service providers.
The same applies to cases where cloud services are used to host the SaaS application infrastructure. In addition, you should ensure separation of duties so that important administrative tasks, such as making changes to policies or exporting keys, are performed by different administrators.
According to our survey of IT professionals in a number of leading global companies on data security issues hosted in the cloud:
In this case, it is very important to know exactly what is happening, and to understand what data is provided access. If the court request is addressed to the cloud service provider, and your encryption keys are not controlled by you, the service provider will be forced to hand the encryption keys to the requestor, whether it is a government agency or some other structure. Moreover, the request can be organized in such a way that the service provider cannot even inform you.
If you control the encryption process in the cloud and own the appropriate encryption keys, you or your company may in some way be forced to hand over the keys to the requestor, but in any case you will know about it and you will be able to respond accordingly.
In the event that you refuse the services of one provider and want to switch to another, or if you just want to delete your data from the cloud, you must clearly understand what the supplier’s procedures for deleting data are. Some cloud service providers may keep their customers' data until all bills are paid upon termination of the contract.
In addition, it is necessary to verify the proper deletion of instances and images of virtual machines that may contain sensitive information. Try to have a clear care plan from the provider that would allow you to be sure that no data of yours remained in the cloud.
If your organization implements segregated projects to meet various regulatory requirements, meet data protection requirements in individual business units, or eliminate security breaches, then you are not alone.
In this case, it is important to implement a centralized, unified approach to ensuring data security in the cloud and local environments. This will not only enhance the security of your organization, but also help reduce costs and increase business flexibility.
Are there answers to these questions in your organization, and what do you think is the main deterrent that hinders your organization in moving to the cloud? Share your thoughts in the comments.
Every day, IT departments are confronted with an ever-increasing number of threats , take care of adhering to numerous legislative norms, and ensure the protection of more and more data . And taking into account the fact that employees of companies often start using cloud technologies on their own initiative, the number of requests to IT departments will increase, as well as the number of projects that they have to support.
At the same time, there is no doubt that cloud technologies bring with them great advantages, for example, they will help your organization:
')
- to quickly market new products and services
- reduce storage costs and related infrastructure
- provide access to business applications and information at any time, from anywhere and from any device
- process, analyze and use data faster
Of course, the cloud helps to cope with the growing volumes of data generated in the modern interconnected and highly competitive digital world. But what if YOUR private data is in a public cloud that you DO NOT CONTROL?
The good news is that you don’t have to give up new or ongoing cloud initiatives, all you need to do is make sure that your team has an action plan that will help eliminate concerns about the security of cloud infrastructures and respond to next questions:
1. How to show that we control data in the cloud and comply with regulatory requirements?
To ensure regulatory compliance organizations need to centrally, comprehensively and effectively track any actions with regulated data - even if these data are placed in cloud environments. In particular, this requires an authentication management platform that allows your company to centrally establish policies and control their observance both within its own infrastructure and in relation to cloud applications and services.
In addition, organizations must have a centralized and efficient tool for managing encryption and encryption keys throughout the company. This allows you to optimize the processes of controlling access to your critical information, wherever it is, and also to simplify the process of the corresponding audit.
2. How can you mitigate the risks associated with storing sensitive data in the cloud and with the independence of this data?
We recommend discussing this particular issue with your legal department. It is important to understand that in many countries and regions, their own specific regulatory requirements can be put in place that regulate where “sensitive” information can and cannot be placed. For example, before a federal government agency in the United States can transfer sensitive information to the cloud, it must ensure that the cloud service provider does not store or manage this data outside of the country.
Similarly, in a number of European countries, healthcare providers will not be able to use the services of a cloud service provider to store patient data unless all of the equipment of this provider is located exclusively in the territory of that particular country. In Russia, there is also a requirement to store confidential user information on servers hosted domestically.
3. How to prevent the administrators of the cloud infrastructure and other users from accessing our sensitive data?
Your organization should have a way to protect itself from threats emanating from within companies, and minimize the risks associated with the malicious intent of administrators. It is your responsibility to make sure that even when working with multi-user public cloud environments, your team has sufficient tools and rights to protect sensitive data in order to prevent abuse by the administrators of cloud service providers.
The same applies to cases where cloud services are used to host the SaaS application infrastructure. In addition, you should ensure separation of duties so that important administrative tasks, such as making changes to policies or exporting keys, are performed by different administrators.
According to our survey of IT professionals in a number of leading global companies on data security issues hosted in the cloud:
4. How to control what data is provided access in case of a court request?
In this case, it is very important to know exactly what is happening, and to understand what data is provided access. If the court request is addressed to the cloud service provider, and your encryption keys are not controlled by you, the service provider will be forced to hand the encryption keys to the requestor, whether it is a government agency or some other structure. Moreover, the request can be organized in such a way that the service provider cannot even inform you.
If you control the encryption process in the cloud and own the appropriate encryption keys, you or your company may in some way be forced to hand over the keys to the requestor, but in any case you will know about it and you will be able to respond accordingly.
5. How to ensure that, if necessary, your data will be safely removed from the cloud?
In the event that you refuse the services of one provider and want to switch to another, or if you just want to delete your data from the cloud, you must clearly understand what the supplier’s procedures for deleting data are. Some cloud service providers may keep their customers' data until all bills are paid upon termination of the contract.
In addition, it is necessary to verify the proper deletion of instances and images of virtual machines that may contain sensitive information. Try to have a clear care plan from the provider that would allow you to be sure that no data of yours remained in the cloud.
6. How to ensure the centralization of data security in various environments?
If your organization implements segregated projects to meet various regulatory requirements, meet data protection requirements in individual business units, or eliminate security breaches, then you are not alone.
In this case, it is important to implement a centralized, unified approach to ensuring data security in the cloud and local environments. This will not only enhance the security of your organization, but also help reduce costs and increase business flexibility.
Are there answers to these questions in your organization, and what do you think is the main deterrent that hinders your organization in moving to the cloud? Share your thoughts in the comments.
Source: https://habr.com/ru/post/314878/
All Articles