Cloud Security Lessons Learned from the Masters Tournament: Avoiding hazards on and off the course
The annual Masters tournament at the historic Augusta National Golf Club in Georgia is now in the books. While Augusta is known for its pristine greens, hazards abound, IT and security pros face a similar scenario when dealing with their organization’s cloud usage – hidden threats can pose major challenges.
Cloud apps are ubiquitous in organizations today. A recent study revealed that more than a quarter of files stored in the cloud are at risk of exposure due to being broadly shared, and one-in-ten sensitive documents that employees share via cloud services are at high risk of loss or theft due to overexposure.
In the spirit of the Masters, Blue Coat has shared a full round of tips and tricks to avoid the privacy, compliance and security hazards of cloud computing – and guide you confidently through the course to realize the full benefits enterprise cloud adoption can offer.
THE FRONT NINE: Hazards
1. Users don’t realize the risks of Shadow IT:
Business users see cloud apps as productivity enhancers. However, IT doesn’t know how corporate data is being used in the cloud. Business users are consistently signing up for cloud services, meanwhile IT may not be aware of what’s happening with each user, because they are not following formal IT and security policies.
2. B2B Contractual Clauses:
Businesses providing services for other businesses are increasingly seeing contractual clauses requiring business data that is maintained by the service provider to be treated in certain ways. For example, if business data is placed in 3rd party cloud systems, additional safeguards may need to be put in place to ensure it is adequately protected.
3. Cloudy terms and conditions:
The policies and standards your organization adheres to regarding the treatment of data may not be shared by your cloud service providers. Yet, when users sign up for cloud apps, they agree to the associated terms and conditions without confirmation from IT or security that the cloud apps are secure and compliant.
4. Authentication and access control measures:
According to Elastica, a Blue Coat company, companies have more than 812 cloud apps running at any given time. This drastically opens up the realm of possibilities for threats. Simply blocking access will not be a viable option for long, so it’s time to be proactive and put long trusted security and data governance measures in place to make sure that no matter where your data is or on what device it resides, it is protected.
5. Virtual exploits:
Virtualization technology is a core component of a SaaS cloud service provider’s infrastructure, but carries its own threats and risks. As cloud users, don’t be left in the dark on what virtualization products your CSP is using and take steps to mitigate risks if required.
6. Hidden threats:
Encrypted traffic may bring some unexpected visitors back into your corporate network. Gartner predicts that in 2017 more than half of network attacks targeting enterprises will use encrypted traffic to bypass controls. Attackers are looking to leverage the blind spots created via SSL traffic coming from cloud environments to penetrate your infrastructure and steal data.
7. Data privacy responsibilities:
Business data often needs to be guarded and protected more stringently than non-sensitive data. The enterprise is responsible for any breaches to data and must be able ensure strict security measures are in place regardless of where the data resides.
8. Industry and regulatory compliance:
Organizations often have access to and are responsible for data that is highly regulated and restricted. Many industry-specific regulations require an enterprise to follow defined standards to safeguard private and business data and to comply with applicable laws.
9. Data residency restrictions:
Companies frequently find that certain types of customer information needs to be kept within a defined geographic jurisdiction, making the use of cloud solutions based in other parts of the world extremely difficult. Increasingly strict residency requirements are a significant challenge to cloud adoption.
THE BACK NINE: Winning Tactics
1. Establish comprehensive data governance policies:
Governance needs to be clearly established by senior management and policies need to be put in place to ensure compliance with internal and external data privacy mandates. Data should be classified based on sensitivity, and the correct data security techniques need to be applied to each class of data.
2. Implement data security services:
Consider offering security services such as “encryption-as-a-service” or “tokenization-as-a-service” to business units within the enterprise to enable compliant cloud adoption while protecting data being processed and stored in the cloud.
3. Get a grip on your clouds:
- Use cloud visibility and audit services to understand what clouds your departments are using and what sorts of data are being stored and processed in them. Understand the risk profiles of these cloud services and take steps to limit or control access to cloud services that are not aligned with your enterprise’s security and data compliance policies.
- Experts recommend testing for security risks, including network, logical and architectural risks, and it’s crucial to have a strategy set in place for testing. Discuss your strategy with your cloud provider before beginning testing, as well as your IT and security organizations. Open communication is key— you must set appropriate expectations with management well before testing begins.
IT needs to look for conditions related to openness, such as adherence to industry standards and the ability of security solutions to integrate with one another, in order for trust in the cloud to be established.
6. Use more than one cloud service:
A multi-cloud strategy minimizes the risk of widespread data loss or downtime due to a localized component failure in a cloud-computing environment. Develop a security platform that allows the business to implement consistent data protection policies across multiple cloud services.
7. Educate employees on security:
People, processes and technology all need to play critical roles in ensuring adequate safeguards are in place. Take the proactive steps to avoid costly mistakes.
8. Boost you visibility:
- Inspect SSL traffic coming back into your organization to guard against sophisticated attacks. Encrypted Traffic Management solutions can route traffic for deep analysis and mitigate the risks that this new form of attacks pose to your business.
9. Do encryption right:
Do not store encryption keys in the software where you store your data. IT teams need to keep physical ownership of encryption keys as well as vet the strength of the encryption techniques being used. And don’t forget data in-use. Data in use is, effectively, the data that has been loaded into a process and is in the memory of the program that is running. Make sure you own the entire encryption process of your sensitive and regulated data (at both the field and file levels).
By following these tips, you can mitigate threats and ensure your organization is deserving of the coveted “green jacket.”
About the Author
Gerry Grealish leads the marketing strategy for Blue Coat Systems Cloud Data Protection Platform. Previously, Gerry was CMO of Perspecsys and also ran Product Marketing for the TNS Payments Division, helping create the marketing and product strategy for its payment gateway and tokenization/encryption security solutions.
Edited by Peter Bernstein