The rapid growth of cloud services is an indication that companies are anxious to quickly deploy new cloud-based applications that can make their workers more collaborative, mobile, and productive. However, as sensitive corporate data moves beyond the firewall, IT organizations are understandably unsure about their ability to continue enforcing the security and compliance policies they utilize for data stored on premises. And, sensitive data is moving outside the company even faster than many in IT realize. Analyzing cloud usage for over 18 million users, Skyhigh found that 21% of files uploaded to cloud-based file sharing services contain sensitive personally identifiable information (PII), protected health information (PHI), payment card data, or intellectual properly.
When considering whether the cloud is secure or not, we first examined the security controls available from cloud providers. The Skyhigh Service Intelligence Team maintains a registry of over 12,000 cloud services with a 1-10 rating of enterprise readiness derived from over 50 attributes including whether the service encrypts data at rest, offers multi-factor authentication, and carries an ISO 27001 certification. We found that the availability of these basic security controls (the ones you would want to look for when procuring a service) vary widely between providers. Some key findings about security include:
Another factor to consider is the scope of government surveillance revealed by Edward Snowden. Unchecked surveillance by the U.S. and other countries is a growing threat to privacy as data moves to the cloud. A controversial aspect of current surveillance law compels cloud computing companies to surrender to the U.S. government, on request, private customer data stored in the service providers’ servers. Companies such as Google, Microsoft, Yahoo!, Facebook, Evernote, Apple and Dropbox actively oppose the data disclosure program but are required by law to comply with government requests for data. Don’t expect the government or the cloud provider to notify you that your data was requested.
You might assume your data is secure in the cloud – and most likely it is – but breaches of cloud providers do happen. For instance popular services such as Google Drive, LinkedIn and Evernote all suffered data breaches in the past year. Customer content stored in Apple iCloud also was breached, although Apple claims it was not a breach but a targeted attack on user names, passwords and security questions that led to the illicit exposure. Regardless of how a breach happens, these events reinforce the need to apply controls around data in the cloud.
Even if a cloud service is fairly secure, employees can use it in risky ways. Many companies overlook the possibility of insider threats. One of the most common types of insider threat incidents is when a sales person downloads customer contact information right before she quits to join a competitor. Most likely the company would never know about this theft of data. You may assume that the cloud provider is responsible for the security of your data, but most terms of service assign that responsibility to the customer. But, how are you supposed to detect a breach in a cloud service? How do you discover that an attacker has compromised one of your employee’s login credentials and is now stealing data?
Here are some steps your company can take to assure a more secure cloud computing experience:
You don’t have to sacrifice data security for the convenience of cloud services. Skyhigh can help you select and adopt low risk services and put policies in place to give you enterprise-grade levels of trust in your cloud services. A growing number of people think the cloud can actually be more secure than on-premise software. Consider that a cloud provider like Salesforce may have a much larger and more specialized security team than your own organization. With the proper security and compliance controls, you can achieve higher levels of security for data stored in the cloud than in traditional on-premise software.