Increasingly, companies are moving their data and processing to cloud services. It’s easy for this out-of-sight data to be out of mind when it comes to security, but if anything, it should be top of mind because it's even more exposed than is on-premises data. With regulators issuing record fines for privacy violations, developers need to make sure they secure their data in the cloud.
Fines for privacy violations will only increase in 2020. In 2019, after one year of General Data Protection Regulation (GDPR) enforcement in the European Union, there were over 59,000 personal data breach notifications across Europe, along with 91 reported fines. France’s National Data Protection Commission fined Google $57 million for improper processing of personal data for advertising purposes. With more violations occurring with respect to data stored in the cloud, data owners, developers, and CISOs need to focus on cloud data security.
In July, the Information Commissioner’s Office of the United Kingdom announced that a large European airline would be fined 1.5% of its 2017 revenue, or $230 million, for allowing attackers to modify its website, scraping personal and financial details using a malicious JavaScript component.
“While we can never know how much reach the attackers had on the airline’s servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets,” stated a RiskQ analysis of the issue.
Such data breach fines are only increasing. The EU’s GDPR allows fines of up to 4% of revenue per violation. California Consumer Privacy Act (CCPA) fines companies that fail to protect their users’ data can be fined up to $2,500 per violation—and $7,500 per willful violation—per individual whose data was breached. And fines under the Payment Card Industry Data Security Standard (PCI DSS) will likely rise as well.
Traditionally, having data stored locally meant attackers had to compromise the corporate network before gaining access. While the past reminds us that this has occurred all too often, at least that network was under local control and monitoring. Services on demand allow attackers to access sensitive data if they can bypass cloud access security—which is typically under the control of the cloud provider, and opaque to the enterprise.
The upside of the cloud is flexibility. The downside is that data security must be part of the equation from the start. Here are three recommendations for security and development teams.
1. Know your responsibilities in the cloud
Using cloud services does not mean that the cloud provider will take responsibility for your data; you share responsibility with the provider. Under this shared responsibility model, cloud providers ensure that the hardware and software services they offer are secure, and you're responsible for the security of your data assets.
Fulfilling your responsibilities can be more difficult with cloud services. While cloud providers offer better security, they also provide clients with less insight into the security of their systems, so you often lose visibility when you hand over infrastructure operations.
Security and DevOps teams need to know exactly what their responsibilities are when developing and hosting applications built on top of cloud infrastructure.
2. Understand your data and security
Not only developers, but also data owners and security functions need to understand the types of data they are collecting and the requirements for its storage.
One example of this is collecting data from users in nations that require the data to be stored in the same locale. All Russian users’ data must stay in that country; health data on Australian citizens must be stored in data centers in Australia; China, Germany, Turkey, Belgium, Brazil, and South Korea have also enacted “must stay” regulations for data. Such regulations do not preclude companies from using cloud infrastructure, but IT leaders and developers must understand these requirements and be careful where they spin up their cloud servers.
Another example is creation of the secrets used to protect the data—from API keys to encryption keys to passwords for cloud resources. These keys should be managed in-house or on different cloud services, and not by the same cloud provider used to host the infrastructure and data.
3. Apply data-centric security on each field
The cloud provider has some level of access to your data. This presents different security problems than you'd see with local infrastructure. With on-premises servers and software, your main worries are availability and insider threats. With cloud infrastructure providers, the provider or by a third party might access the data—with little opportunity for you to detect it.
Applying per-field format-preserving data protection can dramatically limit the impact of insider threats, whether from employees or rogue cloud administrators. Format-preserving encryption and tokenization protect the information while, in many cases, still allowing normal functionality—such as searches—to occur without ever requiring clear text.
Cloud data safety is doable
As enterprises move to the cloud, security risks to sensitive and regulated data increase. However, cloud security issues are often not well understood by developers. By understanding their responsibilities, knowing what data is being collected, and applying security to the data—not just the system—you'll be assured that your data in the cloud is as safe as on premises, and that it will flow safely throughout your hybrid IT environments.
Keep learning
Get up to speed on unstructured data security with TechBeacon's Guide. Plus: Get the Forrester Wave for Unstructured Data Security Flatforms, Q2 2021.
Join this discussion about how to break the Ground Hog Day repetition with better data management capabilities.
Learn how to accelerate your analytics securely into the cloud in this Webinar.
Find out more about cloud security and privacy, and selecting the right encryption and key management in TechBeacon's Guide.
Learn to appreciate the art of data protection and go behind the privacy shield in this Webinar.
Dive into the new laws with TechBeacon's guide to GDPR and CCPA.