When it comes to data security in the cloud, what keeps Robert Sullivan up at night? “Everything, all day,” Agero’s CISO said with a smile.
Based in Medford, Massachusetts, Agero is a white-label service for drivers that coordinates activities ranging from roadside assistance to accident management. B2B partners include insurance and auto giants. “Not only do we not want people to come in and steal data, but it’s going to be a difficult discussion to have a discussion with customers and all other customers to understand exactly how a customer data breach happened,” said Sullivan, also Agero’s vice president of technology shared services. “My biggest concern is that we somehow exposed our customers’ data and didn’t do our part to protect it.”
By developing a security plan and taking sensible precautions, organizations can greatly reduce the chances of their data falling into the wrong hands. Becoming data smart means asking the right questions of potential cloud providers, but also sharing responsibility for potential breaches.
For companies, cloud security appears to be a top priority.Recently at Deloitte U.S. Future Cloud Strategy Survey Report, 91% of the 500 organizations surveyed said they have updated their business and operational strategies to address cloud security, risk and controls. At the same time, 83% of respondents said their cloud investments are delivering positive results in reducing business and regulatory risk.
How do cloud providers protect customer data? “Historically, they’ve done very, very well,” said Daniel Schiappa, chief product officer at Arctic Wolf Networks, an Amazon Web Services (AWS) partner cybersecurity firm.
That includes separating data from different clients, Schiappa added, whose Eden Prairie, Minnesota-based firm’s clients include Agero. “I’ve been building solutions in AWS for decades, and I’ve never had an issue where my data, or any data from my solution, appears in someone else’s environment, or vice versa.”
But companies must remember that data security is the shared responsibility of their cloud providers. “Sometimes you hear it’s a shared destiny,” said Ryan Orsi, head of security for AWS Global Cloud Foundation Partners.
Orsi explained that while the vendor is responsible for the host operating system, the virtualization layer, and whatever devices and buildings the cloud resides in, the so-called security in the cloud belongs to the customer. “From the moment they build an application, from the moment they upload a piece of data to the cloud, they’re responsible for it.”
According to Dan Mellen, Accenture’s global cloud and infrastructure cybersecurity lead, cloud providers give you many of the mechanisms you need to protect your data. “But what I’ve found, and what I’ve seen with most customers, is that they don’t always understand the capabilities that can be used to protect this data,” Mellen observes. At the same time, different lines of business may push data without any standardization, he said. “Part of that is a governance issue from a data and cloud usage perspective.”
More and more cybercriminals are stealing data in simple ways. “One of the biggest threats we see in the industry today is that hackers are doing less to exploit sophisticated vulnerabilities and more to use people and access to cloud services to access this data,” said VP Tyler Healy. Partnering with DigitalOcean, a New York-based cloud infrastructure provider. These weaknesses might include not enabling two-factor authentication or making access too broad.
This year’s Uber hack is a case in point. “It really comes down to 2FA fatigue,” Healy said. “So someone has access to account credentials, which is two-factor authentication, which is a push notification to your phone.”
As a customer, you must determine your own data security policy, Schiappa said. “The provider will do what the platform is supposed to do, but you also have to do what you think is right for your data.” It all starts with a plan: “Once you come up with that data plan, you can look at various cloud providers and make sure they [meet] your requirements. “
Sullivan warns that if you use infrastructure as a service (IaaS) — a cloud structure that lets you do things like build your own servers — expect more security work than with software as a service (SaaS). “It’s an even bigger boost for customers because you have to understand what you’re doing: How does that affect the security of the platform?” he said. “So there’s a lot that cloud providers can do to make sure you’re safe in their cloud environment. That doesn’t mean you’ll be safe in their cloud environment.”
Along with customers, Agero developed a checklist that includes details such as whether multi-factor authentication is enabled and whether all data is encrypted at rest and in transit, Sullivan said. “Over time, as you learn about your risks and what you’re doing in that space, the data that’s going back and forth, your concerns, you’ll be refining this data checklist.”
What is the hallmark of a reliable cloud provider from a data security standpoint? Orsi recommends looking at its native capabilities in four key areas: encryption, key management, identity and access control. “Then also look at how their partner ecosystem extends those capabilities,” he said. “Partners, these software companies and these system integrators — they can help customers adopt best practices faster.”
Sullivan recommends checking the provider’s certification. “Do they have ISO certification? Do they have NIST certification?” he said, referring to the International Organization for Standardization and the National Institute of Standards and Technology. “Not only do they comply with the standard, but there is also a third-party audit involved.”
It’s also worth weighing their commitment to privacy regimes like the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR), Healy said. “Companies that go above and beyond demonstrate this by communicating about how they handle customer data, putting customer privacy first.”
What are the red flags?
For customers, Orsi insists, it’s an easy question. “If they feel like they can’t be 100 percent sure where all their data is and whether there is personally identifiable information in those locations…that’s a red flag,” he said. “There are many different reasons and situations in which personally identifiable information can end up in the wrong data location and jeopardize their compliance status with regulations.”
Likewise, you should know where cloud providers stand on data sovereignty, Schiappa said. “If you’re a multinational company and you’re working globally and you’re going to be doing business in certain regions, do they have data sovereignty issues?” hey asks “Does your cloud provider have an instance in that region? , so you can actually keep the data locally?”
Healy noted that anyone concerned about how suppliers share data can come up with their data processing agreements. “Companies should communicate to customers who their downstream suppliers are,” he said. “If they lack that space, I’d say it’s probably something you don’t trust your data.”
In addition to keeping an eye on who might be sharing and monetizing their customer information, Healy recommends that companies collect as little data as possible themselves. “I think that should always be the default baseline.”
Data hygiene with varying standards is another potential sticking point. For example, the AWS Management Console now flags publicly accessible or unencrypted buckets regardless of data type, Mellen explained. “These capabilities are examples of hyperscalers taking aggressive steps,” he said. “If you’re buying a vendor and you don’t see those capabilities, that vendor probably doesn’t care as much about data security.”
Mellen prefers to have an in-house team to handle data security. “It’s unique enough, big enough, important enough,” he said. “I’ve even seen large global organizations have localized data security teams.”
For companies that lack in-house expertise, Schiappa recommends getting outside help to develop a data security plan before choosing a vendor. “That’s going to drive a lot of the requirements you have in choosing the right platform provider and how to roll these things out,” he said. “You don’t want to start figuring this out after the fact.”
Going forward, Orsi sees cyber resilience playing a key role. “When a potential security incident occurs that disrupts access to data or the application itself, the architectural design and the design resiliency of the application are tested,” he said, citing ransomware attacks. “Whether it’s in the cloud or on-premises, or really anywhere, I think companies should be looking at the investment space.”
Sullivan marks Cloud Security Posture Management (CSPM) as an emerging service. “These are premium games where solutions — some of them are multiple clouds, so they can do this to any player that exists — they’re going to go out and ask all of your configurations, look for bugs,” he said. “And look to make sure it meets your baseline as well.” In addition to identifying security holes, CSPM tools are learning to fix them.
Another technology gaining traction, Schiappa said, is customers storing data in cloud providers using encryption keys they hold. “Platforms have to be able to read that data, so they’re going to have an ephemeral key for that transaction, and that key is going to be shredded.” Schiappa said that for anyone accessing your data through that encryption method, It’s like breaking into a jewelry store and not being able to steal anything.
“The last part of this transition to the cloud has yet to transition from traditional IT security to encryption,” he added. “That’s going to be a more critical factor.”
Healy predicts that consumers’ ability to manage their own data in the cloud will continue to grow. “If you sign up with a reputable cloud provider, or, really, any software provider that uses cloud services, you should be able to say, ‘Please completely forget me; please forget all the data I store in your cloud ,’ and it should be completely erased.”
Healy believes that people should also have the ability to track where their data is stored, a practice he doesn’t know how long it will become the norm. “But I think the more trusted cloud providers should be able to offer that, essentially to give their customers peace of mind and to give their customers a good privacy stance as a differentiator.”