Cloud applications are a mission-critical part of companies’ IT infrastructure today, and it’s increasingly common for employees to upload highly sensitive information to the cloud. In fact, Skyhigh’s analysis of cloud usage indicates that 22% of files uploaded to file sharing services contain sensitive or confidential data. Moreover, 37% of employees uploaded at least one file containing sensitive information to a file sharing service over the course of the last quarter. Recognizing that sensitive data in the cloud can have serious compliance consequences, we polled CISOs and identified 10 key questions and metrics they hold their teams accountable for compliance.
Today’s enterprises have deployed cloud services to support CRM, ERP, HR, collaboration, and backup operations. Applications like Salesforce, ServiceNow, Workday, Box, and Office 365, support mission-critical business functions, and because of this they often house sensitive or confidential information, such as customer data, financial data, employee data, intellectual property, or security infrastructure data. There are over 12,000 cloud services today, all with varying security, compliance, and governance capabilities.
At the same time, companies across industries must ensure compliance with PCI-DSS, HIPAA-HITECH, GLBA, SOX, CIPA, FISMA, FERPA, and other industry-specific and regional regulations. In order to do so they must ensure the protection of various types of information, including:
|· Names||· Bank account numbers|
|· Address||· Professional certificate or license number|
|· Birthdate||· License plate number|
|· Telephone or fax number||· URLs or IP address|
|· Email address||· Finger and voice prints|
|· Social security number||· Full face photographs|
|· Medical record number||· Any unique identifying number|
|· Health plan number|
According to Gartner, compliance will always be a core security deliverable.
Within organizations, cloud users, IT departments, and CIOs/CISOs all share responsibility for compliance. Skyhigh surveyed over 200 IT leaders in partnership with the Cloud Security Alliance and found that 21% of companies have a cloud governance committee responsible for establishing and enforcing policies that protect corporate data in the cloud. IT security is the most common group found on these committees, followed by IT, legal, and compliance/risk. Considering the stiff financial penalties of a compliance violation, and mandatory breach disclosure rules that often precede a wave of customer lawsuits, more companies likely need a formal process for compliance that includes a broad set of stakeholders.
While regulations vary, they generally mandate that organizations must understand where sensitive data is stored within cloud services, audit how the data is used, and protect the data from being compromised or exposed beyond people who should have access to the data. We polled IT security leaders across industry verticals and found 10 questions and metrics they hold their teams accountable for regularly:
- Which applications house sensitive data subject to regulatory compliance?
- What are the security capabilities of the services housing sensitive data?
- What are the legal terms of the services housing sensitive data?
- Which employees are accessing sensitive data, and how are they using or sharing it?
- Which employees are uploading sensitive data to high-risk services?
- Which administrators have behavioral anomalies that indicate excessive privilege access?
- When is sensitive data uploaded to the cloud, and what action should be taken (allow, block, quarantine, encrypt)?
- How do we leverage previous resource investments and extend existing on-premise data loss prevention policies to the cloud?
- How do we implement a closed workflow to review, remediate compliance violations, and educate violators?
- Is sensitive data kept in a specific country or region to comply with international data residency requirements?
Compliance supporting activities and procedures should make IT security processes easier and more comprehensible for everyone within the organization. With regards to SaaS applications, they should address specifics with provable data for various compliance methods, track user activity across cloud based applications and services, and enable integration within the enterprise by supporting log generation that can be incorporated with existing SIEMs. Furthermore, it is important that the aforementioned compliance supporting activities help the organization identify specific cloud services that not only satisfy the needs of the employees, but also meet the organization’s compliance standards.