Key risks for enterprises committing sensitive data to the cloud

Economic benefits of migrating enterprise IT environments to services providers are starting to outweigh the security concerns hovering over cloud computing. Until recently, organizations have hesitated to store sensitive customer information off-premise.

New research, however, suggests this may be about to change. Major organizations like the National Health Service (NHS) in the UK are further evidence that cloud services are being used more widely.

Yet the risks of pursuing a cloud strategy remain very tangible. Time Warner, Uber, Accenture and Fedex have all experienced high profile data breaches.

To facilitate the secure transfer and storage of sensitive data in the cloud, companies should consider deploying virtual private networks (VPNs) at every on-premise, hybrid and cloud Internet connection point.

More sensitive data in the cloud

More and more organizations are considering committing sensitive customer data to the cloud.

According to the 2018 Thales Data Threat Report, Federal Government Edition, squeezed budgets are forcing U.S. federal agencies to explore cloud services. Just under half (45%) of respondents claim their agency has five or more cloud service providers.

Elsewhere the UK’s largest health provider, the NHS, has officially been permission to offshore more of its patient data to Privacy Shield-approved cloud providers. Guidelines for the NHS and other providers of social care insist executives should conduct their own risk assessments for offshoring and implement appropriate risk mitigation measures before they outsource any data storage to the cloud.

Customer cloud encryption lags behind

In general, Cloud services providers (CSPs) are trusted with cloud data because they put rigorous security at the heart of their business models.

Yet, even the best-managed cloud environment is not totally immune from security failures – especially if the customer fails to properly secure the cloud resources that they are using.

In a 2017 Cloud Security Report from Crowd Research Partners a third of respondents (33%) named security risks as one of the biggest reasons why cloud was not more widely adopted in their organization.

These findings are echoed by recent research into federal agency cloud adoption. In this survey, 78% data-in-motion and 77% data-at-rest encryption as the most effective tools for protecting data. Yet only 23% had implemented encryption in the cloud.

This issue is shared by government agencies and enterprises alike. Legacy systems, internal politics and squeezed IT budgets can sometimes stand in the way of improving system security to a level that completely eliminates the risk of data breaches and successful cyber attacks.

Cloud data breaches

Cloud data breaches are mercifully rare – but when they do occur they make the headlines, helping to perpetuate uncertainty about the technology.

In 2017, cloud breaches at Accenture and Time Warner occured when IT administrators/contractors misconfigured permissions to data on Amazon Web Services (AWS) S3 systems - accidentally allowing public access. Most recently 119,000 personal documents were exposed at Fedex following an AWS S3 server internal admin error.

Elsewhere, Uber suffered public humiliation when it tried to cover up a hack resulting from a leaked cloud services password.  

Data breaches like these happen for three main reasons. First, as more company sensitive data is entrusted to cloud services the IT departments have less control over it – as illustrated by the Time Warner breach where outside contractors caused the breach.

Second, the decision to use cloud services is not always taken by IT security practitioners. This leads on to the third reason – namely that IT departments are not necessarily in charge of all corporate IT spending.

Encryption in the cloud

Breaches like these underline the importance of having the right security measures in place. Most IT security practitioners agree that encryption should play a key role. 

Currently, only two-fifths of data in the cloud is secured with encryption and key management.

According to 77% of more than 3,500 respondents interviewed for the 2018 Global Cloud Data Security Study from the Ponemon Institute the ability to encrypt or tokenize sensitive or confidential data is important while 91% expect it to grow in importance over the next two years, up from 86% in 2017.

As organizations extend their use of public cloud surfaces, the authentication and management components are moving from inside the corporate network to the cloud. One of the most secure ways to manage the transfer and storage of sensitive data in the cloud is with VPNs.

In summary, the benefits of cloud applications including flexibility, scalability and lower running costs are well understood and most enterprises already have some element of cloud within their IT environment.

The more organizations move sensitive and high-value data to the cloud, the more cloud services will become attractive to hackers. Organisations therefore need to keep track of where their secrets are and apply proper security, with encryption as a foundational element.

Implementing VPN connectivity at every on-premise, hybrid and cloud Internet contact point significantly reduces the risks for any employee interacting with sensitive corporate data no matter what type of device they use.