The age of on-premises data centers is slowly coming to a close, as more and more organizations ditch them in favor of the cloud. Cloud applications are visible wherever you look, from the smallest family-owned business to the largest multinational corporation. Cloud service usage continues to grow dramatically every year, and as of 2016, the average organization used 1427 cloud services.
Although this robust growth is promising, it has also given rise to a new array of cybersecurity threats. The average enterprise now falls victim to 23 cloud security threats per month, making the cloud seem like a risky liability. Additionally, sensitive information makes up 18 percent of the data uploaded to the cloud. However, with the proper security configuration and tools even the most secret bit of data can rest easy in the cloud. In order to properly understand the security of the cloud, it is important to understand the main culprits behind the recent mega leaks.
Shadow IT: The Unknown Risks of the Cloud
One of the biggest threats to cloud security is Shadow IT, which is when unauthorized cloud services are used by employees without the knowledge or consent of the organization’s IT department. Shadow IT poses a great risk to cloud security for several reasons. First, employees generally don’t scrutinize the security of an application when deciding whether or not to use a cloud service. IT specialists, on the other hand, go through a process of extensive vetting, weighing the application’s security risks and cloud capabilities before approving it for company-wide use.
Second, IT departments are only aware of 10 percent of shadow cloud applications used at an organization. The remaining 90 percent fall beyond the purview of the IT department.
How to Secure your Sanctioned and Shadow Cloud Services
Visibility is the baseline for overcoming the inherent risks of Shadow IT. This is due to the fact that Shadow IT, by definition, poses an unknown level of threat because organizations don’t realize the full extent of cloud services being used by employees. Greater visibility allows the IT department to begin the process of quantifying risk and formulating a strategy to mitigate that risk.
One element of visibility involves monitoring the use of risky cloud services, cataloging their URLs or IPs, and either approving or blocking them based on a security risk assessment rating. Giving an application a security risk rating will require a thorough investigation of the application’s security capabilities, such as whether it encrypts data at rest, or if it provides multi-factor authentication (MFA) natively, etc.
The typical organization can generate billions of events a day from their cloud usage. Anything from downloading/uploading a document to attempting to login to the service generates an event.
Events indicative of a threat can easily get lost or ignored. With data science, machine learning, and user and entity behavior analytics (UEBA), organizations can sift through the mountain of events that may show a host of anomalous activities, and flag only those that are actual threats.
Imagine a Salesforce user who makes repeated failed attempts to log into Salesforce. After several failed attempts, a compromised account anomaly might get generated by a detection engine. But what if the user had left her Caps Lock key on? How can an IT professional identify this as normal behavior and ignore it?
Taking this a step further, how can threat protection software accurately classify this as normal behavior and ignore it so that IT security professionals do not have to investigate alerts for these everyday activities? While a cyber attacker might be able to steal an employee’s credentials, an attacker can’t mimic the employee’s behavioral patterns. It turns out that the way people navigate and use applications is distinctive, a kind of digital body language.
This pattern is nearly impossible to replicate by a cyber criminal. Returning to our imaginary Salesforce user, after successfully authenticating following several failed attempts, if the user’s behavior is consistent with prior behavior, it can be said with some certainty that our user is who she’s supposed to be.
Using data science and machine learning to observe and analyze behavioral patterns isn’t a new technology. Credit card companies use data science and profiling to identify fraudulent credit card charges. Try as they may, credit card thieves have a difficult time perfectly mimicking normal transactions in granular detail, and the algorithms built and perfected over time have become very proficient at detecting even the most innocuous looking transactions.
Securing the Data Itself – Encryption and Tokenization
Two important elements of data security are encryption and tokenization, which serve the same purpose—protecting sensitive information—but operate in slightly different ways. Encryption works by converting data into cipher text using an encryption key.
Upon encrypting the data, the only way to make the information intelligible again is by entering the appropriate decryption key.
Tokenization protects data differently. Essentially, a random token is generated for plain text, which is then stored in a database. The greatest benefit of tokenization is that it stores the actual data on-premises, and only the token values are uploaded to the cloud. However, if the token-to-text mapping database is hacked, the sensitive information can still be exposed. Tokenization is typically used for structured data.
Cloud Security Compliance
There are a number of regulations for data security, such as PCI-DSS, HIPAA-HITECH, and EU-GDPR. However, it is important to remember that storing data in the cloud is different from storing information in a local database. The following steps should be taken as a start in order to stay compliant with internal/external policies:
- Identify the types of information uploaded to the cloud (health information, personally identifiable information, payment card information, etc)
- Limit third party control of sensitive data
- Avoid uploading confidential information to the cloud
- Apply uniform DLP policies across every cloud application to ensure all data is secure
- Inventory existing policy and adapt them to the cloud environment
Additional Cloud Security Tools
These best practices are in important first step towards protecting your data in the cloud, but the following tools can add even more security.
- SIEMs: Security information and event management (SIEM) is a crucial tool for large enterprises. This tool can look through inbound events and flag potential security threat in real-time.
- User access control: The principle of right of least privilege states that employees should only have access to what they need for their jobs. Single-sign on (SSO) and access management (IDM) can ensure this by managing user logins, access, as well as roles and privileges.
- Cloud firewall: Cloud firewalls are better suited for lower-level threats, but they provide an important barrier for threats targeting the network from the cloud or vice-versa.
- CASB: Serving as the control point between the customer and the cloud application, cloud access security brokers (CASB) provide visibility into user activity and threat detection in the cloud in order to protect data against a wide array of attacks.
- Cloud data encryption: By translating information into ciphertext, sensitive data becomes impossible for hackers to use without a decryption key, even if all other security layers are breached.
An organization seeking to transition from a database to the cloud may be initially thrown by the risks posed by Shadow IT and insider threats. Luckily, with effective best practices and a wide variety of cloud security tools, enterprises can now feel safe with storing their data in the cloud.