Last year, a cloud-savvy hacker found a way to bypass the web application firewall protecting a major bank's credit card applications. The result: The attacker collected more than 100 million individuals' records, and the firm eventually paid an $80 million fine.
The bank had incorrectly configured cloud servers, allowing anyone access to the data stored within, and security measures such as encrypting the information on a server weren't correctly applied.
The incident highlights how every company has become a data company, given the amount of data they are producing, collecting, processing, or monetizing. As enterprises struggle to keep up with the data explosion, moving applications and data into the cloud has become an easy choice for its scalability, on-demand provisioning, consumption-based pricing, and high availability.
Multi-cloud usage and hybrid cloud strategies hit an all-time high of 93% and 87%, respectively, in 2020, according to Flexera's 2020 State of the Cloud report. Further, no company of any size is contemplating a future without at least some infrastructure in the cloud.
Thus, protecting data inside and, especially, outside the network perimeter has become even more important. Companies need to apply additional and better security measures to data—especially applying data-centric protection—to prevent compromises from turning into breaches.
Yet, at the same time, businesses cannot lose the ability to use and analyze their data. Business analytics is a key part of digital transformation and the ability to respond to customers and markets with agility. For companies struggling with the risks of data, the conclusion is that, while data de-identification or de-sensitization is necessary for security, business reasons require accomplishing security by preserving the data's functional or analytical value and referential integrity.
Finding a secure way to use cloud data has become even more critical as companies accelerate their move to the cloud to adapt to the current shift to a remote workforce during—and after—the pandemic.
Here are four lessons for companies dealing with cloud data and business analytics.
1. Security is a responsibility you share with your cloud service
There is a fine line between the security of the cloud and security of your data stored in the cloud. Don't expect your cloud provider to protect you from a data breach. The cloud provider's security responsibility ends at the point where it keeps its overall infrastructure secure from intrusion and compromise.
IT leaders should verify the protections put in place by cloud providers. Even if AWS says that, by default, the company protects its storage buckets, the data is not necessarily persistently encrypted, and certainly is not encrypted by a key that only your business has access to or control of.
In the end, it takes only one missed configuration setting to open up your data to a knowledgeable hacker. On the security side, companies should verify their configuration files and automate their checks to avoid simple mistakes that can lead to major breaches.
Or, even better, they should apply the highest level of data-centric security that protects data persistently while at rest, in transit, and in use.
2. Traditional security controls are becoming irrelevant in the cloud
Many companies initially move to the cloud through "lifting and shifting" their servers and applications, and likewise believe that their security controls can be lifted and shifted as well. However, while servers have a good representation in the cloud as virtual machines, modern cloud infrastructure includes containers, APIs, and serverless functions that have no physical analog.
For that reason, companies have to consider security that works across all these different types of assets, and should not expect a silver bullet. While scanning for vulnerabilities, monitoring traffic to cloud applications and infrastructure using web application firewalls, and runtime application self-protection (RASP), etc. are critical to detecting and avoiding potential security weaknesses, it takes just a single miss across these various layers of security controls to open the door to a bad actor.
3. Data sprawl means perimeter security controls will often fail
The coronavirus pandemic has continued to change the way people work, with 98% of companies having many (30%+) workers working from home, and 77% of companies having most (60%+) workers outside the office at least one day a week, according to PricewaterhouseCoopers. No wonder, then, that data sprawl has become a major concern for business executives.
More than three-quarters of chief information officers are worried that remote working and cloud use will result in their company losing control of its data. For companies that rely on perimeter-based controls, this statistic should be frightening. Keeping data sprawl in check means monitoring the use of critical data assets and using encryption to protect data no matter where it resides.
4. Use encryption and tokenization to protect data and ensure usefulness
The best way to tackle the problems of data sprawl, cloud storage of data, and the need to perform analytics on business data from anywhere is by protecting data at all times. Companies cannot depend on system-level encryption controls, perimeter, or access controls. Once access is compromised, and perimeter controls are bypassed, data escapes the perimeter and the information is no longer protected.
Instead, use function-preserving or analytics-preserving industry-standard encryption techniques such as Format Preserving Encryption—including the FFX-mode of AES-NIST SP800-38G. This allows companies to protect data at all times yet still perform a specific set of analytics on the information. Searching, sorting, querying, reporting, and applying machine learning or artificial intelligence are some of the possible analytics-using data that has been encrypted.
With enterprises rapidly adopting a hybrid and multi-cloud strategy in the face of increasing pressures of data privacy and sovereignty laws and regulations, enterprises must adopt stateless and cloud-agnostic security. But they need a tool that does not lock them into a specific cloud provider and allows them to port data across other clouds or on premises, as well as retain the ability to keep data secured within a country's borders.
Big challenges remain
Data privacy and protection do not come as a default or a byproduct of a company's cybersecurity strategy or program. Enterprises need to take data security seriously and drive it as a dedicated program, and that requires adequate planning, resources, and budget to ensure that data is discovered, classified, analyzed for quantifiable risks, managed, de-identified, retired, tracked, and reported.
By leveraging adequate data-centric protection technologies, you can ensure that sensitive data is locked down in terms of unauthorized access, and at the same time certify that the value in that data at scale is unlocked. Enterprises should be able to share pseudonymized or anonymized data to third-party partners and clients for their business cases, and ensure that their data protection software is independent of the cloud providers. This is especially important for companies that use multiple cloud services.
As your business increasingly relies on the cloud, make sure that the data you store in cloud services is useful for business analytics—and protected at all times.