How to mitigate the privacy risk to cloud-stored data

Large-scale cloud deployment brings huge advantages, if the risks are correctly managed.
12 August 2019

Google Cloud Next 18 session billboard in San Francisco. Source: Shutterstock

The cloud offers a multitude of advantages, however as with any large-scale deployment, it can also provide unforeseen challenges. 

The concept of the cloud being “someone else’s data centre” has long irked security pros– it reinforces the notion that security responsibility is someone else’s problem.

It is true, cloud systems, networks and applications are not physically located within a company’s environment. Cloud infrastructure providers manage how the environment is set up and monitored, as well as what is put into it and how data is protected.

But ongoing security responsibility and risk mitigation certainly falls squarely with the customer and what is most important is how risk is managed to provide alignment with the existing security framework.

Cloud security privacy risks

GDPR and its ‘sister’ policies in the US (as seen with Arizona, Colorado and California) have meant organizations are being faced with new requirements for protecting data in the cloud. 

While it used to be as simple as deploying Data Loss Prevention (DLP) in a data center, nowadays, due to data center fragmentation, this is no longer viable. There are now services, systems and infrastructure that are no longer owned by the organization, but still require visibility and control.

Managing cloud services and infrastructures that share or exchange information can also become difficult to manage. For example, who owns the SLAs? Is there a single pane of glass that monitors everything? 

DevOps has forced corporations to go as far as implementing micro-segmentation and adjusting processes around firewall rule change management. Additionally, serverless computing has provided organisations with a means by which they can cut costs and speed productivity by allowing developers to run code without having to worry about platforms and infrastructure. 

Yet, without a firm handle on virtual private clouds and workload deployments, things can quickly spin out of control and data can begin leaking from one environment just as a comfortable level of security is achieved in another.

Mitigating risk in the cloud

Several steps can be taken to help mitigate risk to an organization’s data in the cloud.

# 1 | Design to align

First and foremost, organizations must align cloud environments with cybersecurity frameworks. Quite often, organizations move to the cloud so rapidly that the security controls historically applied to their on-premise data centres – which have evolved and hardened over time – do not migrate effectively or even map directly to the cloud. Organizations may also relax the security microscope on certain legitimate business SaaS applications. However, without the right visibility and control, data may end up being leaked. Aligning cloud provider technology with cybersecurity frameworks and business operating procedures provides for a highly secure, optimized and more productive implementation of a cloud platform, giving better results and a successful deployment. Being able to do this while implementing the cloud technology can assist in demonstrating measurable security improvement to the business by providing a ‘before and after implementation’ picture.

# 2 | Make yourself at home

Cloud systems should be treated the same way you would treat your Local Area Network (LAN) and Data Centre. For example, Amazon’s Shared Responsibility Model outlines where Amazon’s security responsibility ends and its customers’ responsibilities begin. While threats at the compute layer exist, as can be seen with Meltdown, Foreshadow and Spectre, recent cloud data breaches have shown a breakdown in an organization’s security responsibility area – namely operating system security, data encryption and access control. If an organization has standards that govern the configuration of servers, vulnerability management, patching, IAM, encryption, segmentation, firewall rules, application development and monitoring, see to it that those standards are applied to cloud services and are audited regularly. Routine assessment of cloud infrastructure architectures by a third party can be performed just as effectively as a review of LAN and Wide Area Network (WAN) for best security practices.

# 3 | Stop the “sneaking out at night” 

Not long ago, employees could be seen setting up unsecured wireless access points in an attempt to gain more flexibility and efficiency with their every-day jobs, much to the disgruntlement of their employers. Fast forward to today, wireless controllers providing rogue detection and Internet Provider Security (IPS) capabilities have helped to reign in that type of activity. With the cloud, employees are setting up cloud storage accounts, serverless computing environments and virtual private networks as needed to circumvent lengthy and cumbersome change control procedures, cut costs and gain similar flexibility and efficiency. By rearchitecting legacy networks, re-adjusting decades old processes and procedures, implementing cloud proxy or CASB technology, coupling that with strong endpoint security controls and an effective awareness campaign, organisations can provide that level of flexibility and efficiency but still provide for data protection.

# 4 | Keep a close watch 

The Cybersecurity Operations Center (SOC) should no longer be concerned with just the local network and data centres. The operational monitoring procedures, threat hunting, intelligence and incident response that the SOC use also apply to cloud environments where the organization’s data resides. Shifting from a culture of “do whatever it takes to get the job done” to “do what is right for the business” takes a coordinated effort and time. It is also deeply rooted in the mentality that security has to become a business enabler rather than continuing to be in the business of ‘no’. 

Above all, organizations need to include security in technology decisions if security is to continue to protect the business. And, security teams must understand the needs of the business and changes in technology in order to be that all-important enabler. In order to help to prevent people from seeking their own solutions to technology problems, IT and security teams must evolve their assets and functions in order to accommodate speed and convenience, or else constantly find themselves trying to keep up.

This article was contributed by Derrick Johnson, National Practice Director for Secure Infrastructure Services at AT&T Cybersecurity.