As many CISOs will tell you, IT security today is all about protecting data, not data centers. This data-centric view is largely a product of data moving to the cloud and mobile and it’s so relevant today that Gartner focuses on this in their latest research on protecting data in the cloud. In their latest report, Gartner identified 4 pillars companies must address to protect their information: visibility, compliance, threat detection, and data security. With the average company uploading more data to the cloud every day, and 21% of files uploaded to file sharing services containing sensitive data, the stakes for securing data couldn’t be higher.
With regards to data security, Gartner says that data is mission-critical to the enterprise and that securing that data is the primary goal of any IT Security organization. Therefore, if the enterprise is moving its data into cloud services, IT Security must:
- Ensure that sensitive data is encrypted using known good algorithms or tokenized before entering the cloud service via a configurable data security policy.
- Ensure that robust authentication procedures are defined and enforced, including central credential store usage, certificates, and multi-factor authentication.
- Support encryption key management via a hardware security module (HSM).
- Ensure that only the authorized users and groups have access to enterprise data
- Prevent data from being lost within cloud services when the owner is de-provisioned.
- Ensure functionality within cloud services is maintained when data within those services is encrypted or tokenized so that the value of the services can be fully realized.
- Ensure that data loss prevention and e-discovery are available for cloud services, just as they are for on-premise systems today.
We polled CISOs about the questions and metrics they expect their teams to be able to answer. Many of the questions were related to determining the data that should be encrypted in specific cloud services. But there were also questions about operational activities they expected their team to perform such as tracking breaches of cloud services used by employees and auditing the security controls of cloud providers in use. Key questions asked by CISOs include:
- Which cloud services encrypt data at rest and provide multi-factor authentication?
- What are the compliance certifications of the services employees are using?
- Which of our cloud services undergo regular penetration testing?
- Which of our cloud services have been compromised in the last week, month, year?
- Which data should be encrypted in which cloud services?
- How do we encrypt data while maintaining required functionality within cloud services?
- How do we encrypt data while controlling our own encryption keys?
- How do we employ tokenization to ensure data privacy in addition to security?\
- How do we enforce access policies based on user, device, and location?
Some cloud services have security capabilities that far-exceed most corporate data centers. However, with over 12,000 cloud services available today, there is a large variation in the security capabilities offered. The good news is that an increasing number of cloud services are investing in security, but a larger number still do not offer even basic security features. Only 17% of cloud services provide multi-factor authentication, only 5% are ISO 27001 certified and only 11% encrypt data at rest. For this reason, it is important to look at the risk of services individually and enable risk-based policies on acceptable usage.
In services with high levels of built in security, users and their devices can often be the weakest link. Users frequently lose devices or leave them in insecure locations and are prone to lose passwords as well. A shocking 12% of employees have at least one corporate identity (username and password) for a cloud service that has been compromised for sale on the Darknet (online black markets) today.
A study by Joseph Bonneau at the University of Cambridge showed that 31% of passwords are re-used in multiple places. The implication here is that, for 31% of compromised identities, an attacker could not only gain access to all the data in that cloud service, but potentially all the data in the other cloud services in use by that person as well. Considering that the average person uses three different cloud file-sharing services, and 37% of users upload sensitive data to cloud file-sharing services, the impact of one compromised account can be immense.
Enterprises can improve the security of their data by employing access control policies for cloud services that take into account the context of the user, data, device, and location. For example, an executive may be able to view and download important financial data to her laptop when in the office, but may be restricted to viewing only when on her mobile device in a foreign country.
Additionally, enterprises can take extra steps to ensure the security of their data by employing encryption and tokenization and controlling their own keys. Encryption can be tricky, and several considerations must be made when evaluating encryption options.
First, enterprises must avoid “proprietary algorithms” in favor of encryption algorithms that are both peer- and academia-reviewed to ensure that they are up to modern cryptographic standards.
Second, enterprises must also verify that the algorithms used can support the required functionality of their application since there is a trade-off between the security of an algorithms and the functionality that it can support. To better understand the specific tradeoffs, read The Cloud Encryption Handbook: Encryption Schemes and Their Relative Strengths and Weaknesses. Finally, to maximize data security, enterprises must control their own encryption keys. By taking control of their keys, they prevent a malicious insider at a cloud service or an inquiring government agency from gaining access to their data.