Companies don’t know how to secure their data in the cloud

Companies are moving to cloud, but most don't know how to secure it.
19 April 2018

Could Tesla’s market entry help India ‘go green’? Source: Reuters/Thomas Peter

Earlier this year, Tesla’s cloud was hacked. Instead of stealing information, hackers stole computer resources to mine for cryptocurrency. According to the security firm RedLock, Tesla was running an open-source system that was accessible online without password protection. The exposure allowed hackers to access Tesla’s cloud environment hosted on Amazon.

This is one of the latest trends in cyber threats that businesses face, especially those in the cloud. Oracle recently published a report in partnership with KPMG, which noted that companies are increasingly more comfortable with cloud computing.

The report shows a promising increase in cloud adoption, with 85 percent of those surveyed saying they have moved to cloud. Worryingly, while cloud adoption has increased, so has doubts about how to secure a cloud environment. 83 percent of respondents identified security in the cloud to be better than on-premise; however, only a meager 14 percent of the companies can effectively analyze the security capabilities.

This is especially concerning, as more than half of them have sensitive data in the cloud.

The report attributed this disparity to the lack of visibility across their data center and endpoint. This is alarming, as many attacks start from the endpoint, such as mobile devices or PCs, and move laterally across into data centers, infecting the entire system. Visibility across the entire network is crucial, so that organizations can identify weaknesses in their defenses and make necessary changes.

There’s also much confusion to who is responsible for the security at different instances throughout the network. Less than half of them were able to identify correctly the responsibilities of cloud service providers (CSPs) and customers. As a general rule, the customer is responsible for data security and user access and identity management. Although, areas of responsibility vary between CSPs, and customers should always discuss with CSPs for clarification.

Who is responsible for security? Source: Oracle

Technology and regulations on its own are not enough to prevent malicious attacks. Nearly all the companies have defined cloud-approval policies, but a whopping 82 percent of them are concerned that staff are ignoring said policies. People and processes need to be the focus for mitigating risks.

Processes: effective risk and compliance policies and processes must be in place. They serve as a guide to guard against known risks and threats. Operational and business processes should adhere to these policies. Regular reviews of these processes are also important, to ensure it’s up to date to the current threat landscape (eg. rise of cryptojacking this year), as well as to any relevant industry requirements or government policies.

Technology (CSP): Companies have an obligation to fully understand what exactly are the service agreements from a CSP. Customers should have in place measures to assess security provisions by the CSP for cloud applications, as well as the security controls on physical infrastructure and facilities of the CSP. Evaluation of network and connections are also essential, to ensure sensitive networks are not linked to publically accessible environments.

Technology (Customer due diligence): As mentioned, generally the customer is responsible for user access and identity management. Companies will have to manage the roles and identities of each user, ensuring the right people have the right level of access. Companies are also responsible for data security. This includes unauthorized disclosure or modification of data, loss of data, or archival of data.

People: Regardless of how robust your IT and security is, human errors such as falling for a phishing attack, is debilitating to a company’s operations. It is important to enforce privacy policies, to prevent any data leaks, whether intentional or accidental. Regular updates and training should also be carried out to raise awareness about new attacks, as well as best practices in dealing with cloud data.

Bonus: It is also good to think about exit processes. If companies decided to move data out of the CSP’s infrastructure, whether to host on their own datacentre, a private cloud or to migrate to an alternative CSP, data should be handled correctly. It is key to ensure data migration processes are smooth, without loss or breach of data. CSPs must also ensure all copies of the data has been permanently wiped off their systems.

Ensuring a secure cloud environment relies on the technology, the processes, and the cooperation of people. Cloud is beneficial in multiple ways; it can be a huge cost saving tool, as well as making business operations much more effective. Following best practices is therefore critical for businesses to get the most benefits out of cloud.