The rapid growth of cloud services is an indication that companies are anxious to quickly deploy new cloud-based applications that can make their workers more collaborative, mobile, and productive. However, as sensitive corporate data moves beyond the firewall, IT organizations are understandably unsure about their ability to continue enforcing the security and compliance policies they utilize for data stored on premises. And, sensitive data is moving outside the company even faster than many in IT realize. Analyzing cloud usage for over 18 million users, McAfee found that 21% of files uploaded to cloud-based file sharing services contain sensitive personally identifiable information (PII), protected health information (PHI), payment card data, or intellectual properly.
When considering whether the cloud is secure or not, we first examined the security controls available from cloud providers. The Service Intelligence Team maintains a registry of over 12,000 cloud services with a 1-10 rating of enterprise readiness derived from over 50 attributes including whether the service encrypts data at rest, offers multi-factor authentication, and carries an ISO 27001 certification. We found that the availability of these basic security controls (the ones you would want to look for when procuring a service) vary widely between providers. Some key findings about security include:
- Just 15% of the cloud service providers offer multi-factor authentication, a key control to reduce the impact of compromised account credentials.
- Only 10% encrypt data at rest. Encryption of sensitive data in the cloud should be a minimal level security requirement.
- Only 6% are ISO 27001 certified. Certification assures that the service provider uses a systematic approach to managing sensitive customer information so that it remains secure.
Another factor to consider is the scope of government surveillance revealed by Edward Snowden. Unchecked surveillance by the U.S. and other countries is a growing threat to privacy as data moves to the cloud. A controversial aspect of current surveillance law compels cloud computing companies to surrender to the U.S. government, on request, private customer data stored in the service providers’ servers. Companies such as Google, Microsoft, Yahoo!, Facebook, Evernote, Apple and Dropbox actively oppose the data disclosure program but are required by law to comply with government requests for data. Don’t expect the government or the cloud provider to notify you that your data was requested.
You might assume your data is secure in the cloud – and most likely it is – but breaches of cloud providers do happen. For instance popular services such as Google Drive, LinkedIn and Evernote all suffered data breaches in the past year. Customer content stored in Apple iCloud also was breached, although Apple claims it was not a breach but a targeted attack on user names, passwords and security questions that led to the illicit exposure. Regardless of how a breach happens, these events reinforce the need to apply controls around data in the cloud.
Even if a cloud service is fairly secure, employees can use it in risky ways. Many companies overlook the possibility of insider threats. One of the most common types of insider threat incidents is when a sales person downloads customer contact information right before she quits to join a competitor. Most likely the company would never know about this theft of data. You may assume that the cloud provider is responsible for the security of your data, but most terms of service assign that responsibility to the customer. But, how are you supposed to detect a breach in a cloud service? How do you discover that an attacker has compromised one of your employee’s login credentials and is now stealing data?
Here are some steps your company can take to assure a more secure cloud computing experience:
- Always read the terms of service when subscribing to a cloud application. It’s sometimes surprising what a provider will disclose in the terms and conditions. At the very least, the provider should give details about how it handles your data. If anything in the terms of service make you uneasy, find an alternate service provider or bolster this provider’s security with add-on security, such as third party data encryption.
- Trust but verify cloud provider security credentials. There are several credentials that indicate a provider takes security seriously. For example: SOC 1/SSAE 16/ISAE 3402; SOC 2; ISO 27001; PCI DSS Level 1; ITAR; FIPS 140-2; and others. Your audit group might insist on documentation to verify the cloud provider’s credentials in a pre-contract risk assessment.
- Detect anomalous usage and respond to it quickly to stop or limit a breach. Is it odd that the sales person is downloading hundreds of customer contact records at a time? Establish policies that control the appropriate use of data in the cloud and determine a course of action if those policies are violated. For example, drop the session, block the data transfer, notify HR, etc. Anomalous behavior is often a good indicator of compromise.
- Prevent sensitive data from being uploaded to the cloud. Customer relationship management services account for 20.4% of all corporate data uploaded to the cloud, and on average, 6% of CRM fields contain sensitive data. Some companies have chosen to use a data loss prevention (DLP) solution to prevent sensitive data from being uploaded outside of policy.
- Restrict data uploads from going to the riskiest cloud services. Cloud services may be considered risky because they lack basic security features, have onerous legal terms and conditions, or have a known history of breaches. Skyhigh tracks these high-risk services and publishes a list of them in the quarterly Cloud Adoption & Risk Report.
You don’t have to sacrifice data security for the convenience of cloud services. Skyhigh can help you select and adopt low risk services and put policies in place to give you enterprise-grade levels of trust in your cloud services. A growing number of people think the cloud can actually be more secure than on-premise software. Consider that a cloud provider like Salesforce may have a much larger and more specialized security team than your own organization. With the proper security and compliance controls, you can achieve higher levels of security for data stored in the cloud than in traditional on-premise software.