Who's in control of your data?
Added Sunday 05 June 2016
When you hand over control of your data to a Cloud Service Provider (CSP), you no longer need to worry about where it is stored or how it is accessed. Right? Wrong! Governments are increasingly demanding that organisations can verify where the data they upload to the cloud actually goes – holding them accountable for how it is stored and protected, even after they’ve handed over control to a 3rd party. There’s also the issue of so-called ‘shadow IT’ to consider. Can you be certain that employees aren’t storing data in the cloud without your knowledge and authorisation?
Where is your data stored?
Maintaining control is far from being an easy task once you upload data to the cloud. Even though the application or platform provider may be based in the UK for example, the server they use could be anywhere in the world. And even if your data resides in this country today, there’s nothing to stop your service provider from changing where your data’s stored tomorrow, should they decide it makes business sense to do so.
And what about the cloud and mobile applications that you never authorised in the first place? In today’s digital world, it’s all too quick and easy for your employees to sign up for cloud-based technologies that give them instant access to productivity and collaboration tools that help them to work more efficiently than the corporate apps that have been officially approved. It’s simply human nature and as a recent study by IBM Security highlighted, 1 in 3 employees at Fortune 1000 companies – those with some of the most sophisticated security policies – share and upload corporate data on 3rd party cloud apps. While the majority of employees (57%) agreed that it was contrary to their company’s IT security policies, they still intended to use external cloud-based applications - perceiving that the benefits outweighed any risks:
The study also found that ‘millennial’ employees, who will account for more than half of the worldwide workforce by 2020, are even greater users of unauthorised cloud apps, with 51% frequently using cloud services for work purposes.
Who has access to your data?
When you hand your data over to a CSP, there’s also the issue of people that you haven’t been responsible for hiring or vetting gaining access to your company’s data assets. Once you’re no longer in a position to directly police the individuals that have legitimate access to your network, the ‘insider threat’ suddenly becomes a whole lot bigger and more difficult to manage.
The Verizon Enterprise 2016 Data Breach Investigations Report highlighted that ‘insider incidents’ are the hardest to detect and of all incidents, are the most likely to take months or years to discover. The report also indicated that whilst the majority of cases today are insider-only misuse, instances where outsiders (due to collusion) and partners (because they are granted privileges) are also involved are on the rise.
How can you stay in control of your data?
As an organisation, you need to ask the right questions of your ‘as-a-service provider’ when formalising your relationship – ensuring that your legal team have documented the flow of data to ensure data privacy and compliance in line with the relevant country’s legislation. But how can you manage unauthorised instances where employees choose to activate cloud services without your knowledge or approval?
Take a best practice approach to protecting your data in the cloud
- Data classification: Ensure that your data is always clearly classified – identifying whether access needs to be restricted and to what extent
- Adequate controls: Put controls and policies in place to ensure that all categories of data are handled appropriately – restricting and monitoring access on a continual basis
- Encryption: Once your data is in the cloud, it’s the equivalent of storing it on someone else’s computer. If it’s sensitive or business critical it should be encrypted before being uploaded, and if you are sharing encryption keys with a CSP, ensure that you understand and are happy with their security policies
- Security layers: Add in content controls, protection tracking and deep analytics that will enable you to plug any holes in security and workflow
- User education: Ensure that users within your organisation, as well as any partners with access to your data, understand the sensitivity of data they work with and their role in keeping it safe