This is contributed piece from Thomas Fischer, global security advocate at Digital Guardian
When organizations decide to move their data to the cloud, many assume that the responsibility for securing that data moves with it, to the cloud provider. On the surface, this assumption isn’t entirely unreasonable. After all, by transferring sensitive information into a third-party environment, a certain degree of control over where it’s stored and how it’s protected is lost. However, in reality this isn’t the case.
For example, Amazon Web Services (AWS) is one of the leading providers of on-demand cloud services, with more than a million customers worldwide. When it comes to data security, AWS, like most providers, operates a Shared Security Responsibility model. This means that it assures certain layers of infrastructure and software security, but the customer is ultimately responsible for how data is used and accessed.
Unlike on-site systems, which have a hierarchical structure and a peripheral network that scrubs and analyses data being transmitted, AWS makes it possible for every instance to communicate with the internet in the event of a misconfiguration or insufficient security settings. The exposed applications structure requires companies to strengthen existing security controls. This includes continuously updating security configurations with sufficient and dynamic patching, strong firewall configurations, proper network security implementations and – most importantly – monitoring of the AWS security settings.
Unfortunately, despite providers like AWS providing ample information about the best practices for cloud security, the volume of AWS-related data leaks continues to grow. The main culprit? Human error on the customer’s end. In fact, Gartner predicts that, by 2020, 95% of cloud security incidents will be the customer’s fault.
In the last few months alone, high profile AWS customers like World Wrestling Entertainment (WWE) and Verizon have exposed the personal information of millions of customers by accidentally misconfiguring their Amazon S3 cloud repositories. These incidents are not anomalies. Four years ago, security firm Rapid7 highlighted the problem in a survey of over 12,000 Amazon S3 buckets. This research found that almost one in six were left accessible to the public, exposing more than 126 billion files – many of which contained sensitive information.
Despite this growing volume of high profile data exposures, the popularity of cloud services shows no sign of slowing down and it’s easy to see why. The efficiencies and cost savings these services offer can’t be ignored. Not only do they make it incredibly easy to spin up new applications and storage instances, they allow organizations to be flexible with their processing power and storage needs. So, as cloud popularity continues to grow, what can be done to make sure data stored in it remains secure?
Many suggest that companies such as AWS can help by making their security services more user-friendly. A recent analysis by security firm Detectify found that AWS tools for assigning access permissions to S3 buckets and their contents are awkward and complex – especially at scale. When the difference between providing full control over a bucket and read-only access is the choice of one drop down menu over another, it’s unsurprising that mistakes are commonplace.
Regardless, any organization with sensitive data in the cloud must shoulder the primary responsibility for data security, which comes down to two key areas: administration maintenance and security processes.
For administrators, knowledge is power. The more training that organizations can provide their cloud administrators, the more empowered they become. Many cloud providers offer a variety of training courses that can help administrators get the most out of the tools at their disposal.
From a security processes perspective, there are a multitude of software solutions available that can tighten up cloud security processes, but knowing which one to choose can be tricky. Below are some of the key factors to look for in an effective cloud security solution:
Visibility and control: Ideally, a security solution will provide the visibility necessary for identifying sensitive data in the cloud and then implement automated, immediate responses to keep the organization in compliance with any/all local legislation
Unified cloud and on-premises security: Some cloud security solutions work in tandem with on-premises data protection solutions, allowing for more comprehensive security and consistent policies. By simplifying policy management, organizations will cut down on costs and eliminate policy gaps that can lead to vulnerabilities
Context, system, and user awareness: This allows for more effective identification and blocking of suspicious behaviour, protecting data without interrupting the flow of operations
Detailed logging and reporting: Detailed logging and reporting allows organizations to identify patterns and trends, and adjust data protection programs accordingly
When it comes to data security in the cloud, ignorance isn’t bliss. While leading providers have helped to lower the risks associated with cloud services, it’s clear they still have some way to go. However, the responsibility for protecting sensitive data ultimately lies with the cloud user. Properly training cloud administrators and implementing effective security processes is the best way to stay out of the cloud security blame game. These practices ensure that security is maintained, compliance is met and sensitive data remains where it should.