When companies consider moving to the cloud, they face a critical challenge: meeting the same internal and regulatory security requirements that are already imposed on their on-premises IT environment. According to the Netwrix 2015 Cloud Security Survey, 66% of organizations are subject to government or industry regulations, and 71% have internal security policies in place that require visibility into IT changes. Although cloud providers claim that their technology is mature enough to handle any security-related issues, ensuring data integrity in the cloud and proving it to compliance auditors are still among the top concerns for companies evaluating cloud platforms.
Based on my own experience and the stories shared by our customers, I advise to evaluate providers carefully before moving your data to the cloud. As a data owner, you bear primary responsibility in case of a data breach. Answering the following six questions will help you assess whether you’ll be able to ensure data protection and comply with regulatory security requirements in the cloud.
Question 1: Do you know your cloud provider and its services well enough?
It is essential to learn whether a provider meets your specific requirements. Discuss with your provider which regulatory standards it complies with, the physical location of its servers, its policies for data storage and deletion, and which security and analytics tools it uses to prove compliance. You should also ask how security incidents, data breaches or service disruptions will be handled, and what the disaster recovery procedures are. It is also worth finding out if the provider offers any additional security services that you can take advantage of. In short, before you trust your data to a third party, get to know them well.
Question 2: Does the contract with your cloud provider fully suit your needs?
Reading the service-level agreement (SLA) is not enough; you should clarify all the conditions in your contract. Make sure it clearly establishes the provider’s liability and details the division of responsibilities. Also ensure that you will be able to update the contract over time — for example, when compliance requirements are changed. The contract should also specify audit and control processes, and include items such as your right to monitor the provider’s compliance and its maintenance of data confidentiality.
Question 3: Do you have advanced identity management and access controls?
The Netwrix 2015 Cloud Security Survey found that 69% of the companies are worried about unauthorized data access in the cloud. To mitigate this risk, enable monitoring of all data access events regardless of user role and implementation of the least-privileged principle on both sides: provider and client. Security measures in the cloud should include multi-factor authentication, separation of duties for administrative personnel, digital signature and regular password updates.
Question 4: Is your data encrypted?
Encryption is critical because it enables you to protect data even if it falls into the wrong hands. Encryption is also required by many regulatory standards. Be sure use encryption for all your data — in transit, in use and at rest. Also remember that encryption keys have to be updated regularly and kept separately from the encrypted data, which is an obvious but still frequently violated rule.
Question 5: Do you have visibility into what is going on?
According to the survey, more than 60% of the companies consider visibility into the cloud to be very important for ensuring security, and it becomes more vital as a company grows. User behavior analytics provide valuable insights into who does what, when and where across the entire IT infrastructure. To ensure that only authorized users access sensitive data, you must continuously track changes to system configurations and user permissions, as well as all access attempts, successful or not. Pay special attention to what your privileged users are doing to prevent privilege abuse. And make sure that a complete audit trail of all activities is available for compliance auditors to prove that there were no violations of security policies in the past.
Question 6: Do you know who shares what files and with whom?
Organizations must protect their data not only from outsiders but also from their own employees. One of the most significant threats posed by insiders is malicious or unintentional file sharing. Accordingly, organizations must be able to track effective permissions and spot both overexposed data and users with excessive privileges. However, keep in mind that it’s essential to strike the right balance between data protection and data access, lest users try to circumvent your security by finding more convenient ways to share files.
Concerns about data integrity and confidentiality are among the main reasons why organizations are reluctant to use cloud services, according to the Netwrix survey, and these concerns are well justified. Cloud technologies offer great opportunities for companies, but it’s essential to do your homework. Thoroughly research the provider’s policies, tools, contract and controls, and review your own security and compliance requirements, data governance and compliance with best practices. Above all, make sure you’ll have complete visibility into what is happening across the entire cloud environment. Only then can you move to the cloud with confidence.