This is the sixth installment of The Top 10 Quick-Tips for Shoring Up Your Cloud Data Security. Last time we looked at some of the hidden risks of open source code sharing sites and this week we explore the right way to manage risk.
Top 10 Quick-Tips for Shoring Up your Cloud Data Security
Tip #10: Ensure consistent egress policies across regions
Tip # 9: Don’t rely on URL categorization services for cloud access policy enforcement.
Tip #8: Carefully monitor cloud policy exceptions for misuse
Tip #7: Don’t neglect Data Loss Prevention (DLP) for the cloud
Tip #6: Prevent the loss of IP through code sharing sites
Tip #5: Point-in-time cloud usage data can be deceiving
A telling story
A customer recently shared an interesting story with us. They told us that they were monitoring the growth in cloud service usage over time and saw some interesting patterns that we could share with our readers. They reported on the number of cloud services in use every quarter, starting with September last year.
March – 612
June – 773
September – 981
The most startling (and obvious) observation is that the number of services used increased by more than 50% in half a year. Mark this up as yet another data point showing that use of cloud services is rampant
Point-in-time cloud usage data can be deceiving
Running a one-time audit of cloud usage is, no doubt, better than never doing it at all, but as the example shows, usage evolves rapidly so information is quickly outdated.
The more effective approach is to continuously evaluate your cloud service usage, and to evaluate it across 3 dimensions: 1) Number of services and number of users per service, 2) Risk level of services used, and 3) Data movement to/from the cloud. Let me explain.
1 – Number of services and number of users per service
It’s important that IT continuously look at the services used so they can identify productive services to promote and identify high-risk services to avoid. It’s also useful to keep an eye out for the number of users for each service. E.g. which services are spreading like wildfire (this can be good or bad depending on the value and risk of the service). If 20% or 30% of your employees use a service – maybe it’s time to look at an enterprise license.
2 – Risk level of services used
The risk level of services can change for the better or the worse. For example, cloud services can implement new security features that reduce their data risk and make them more attentive for enterprise use, or they can experience a serious security breach that increases the risk level instantly. Constantly monitor the risk level for services your employees use – especially the ones housing corporate data.
3 – Data sent to or living in each service
When managing the risk of cloud usage it’s critical to regularly look at what type and what volume of data is going to and from cloud services. For confidential data, regular audits should be conducted to ensure DLP policies are being effectively enforced. Also, by maintaining a continuous view of usage over time you’ll be able to better detect anomalies and reduce false positives, which will help you identify malware or malicious activity.
A point-in-time perspective of cloud usage provides only a fraction of the data you’ll need to ensure secure use of cloud services.