It’s Time to Rethink Information Security in the Cloud
The risks to data security from the cloud came into sharp focus in 2019 when data belonging to a major bank, Capital One, was stolen by a former AWS employee. If you’ve been relying on your cloud provider to protect your data, it’s time to stop and put in place your own strategy.
And that new strategy can’t simply be the same as you’ve been using in your on-premises data centers. For one thing, many of the systems you need to protect aren’t on your premises—they’re in the cloud or remote offices or accessed remotely by employees using mobile devices. In addition, there are new data protection laws (GDPR, California Consumer Privacy Act) that make the consequences of breaches more costly. Finally, the old approaches simply don’t work very well in the cloud.
The old approach to security relies on pushing traffic and user access through centralized points where they can be examined for risks and security policies can be applied. But that creates inefficiencies and sometimes slowness that’s noticeable to end users. It’s also simply not effective enough or comprehensive enough. Encrypted traffic needs to be scanned for hidden threats, data leaks to the cloud need to be blocked, and protection needs to extend to devices you don’t own and don’t control. All of this has to happen in a complex environment where the architecture changes dynamically, systems share data widely, and there’s limited visibility into just what exactly is going on.
This means 2020 is the right time to step back and reevaluate exactly how you’re protecting your systems and how you’re ensuring a comprehensive level of protection across cloud. And since cloud is not nearly as separate from the data center as we often think, you need to consider how to integrate your security in the cloud with your security in the data center.
The process starts, as always, with analyzing your environment. Examine the data in your cloud—you need to know everything about how: How sensitive is it? Where is it stored? Where is it used? How is it transported across environments? Who has access to it? What compliance and regulatory requirements apply to the data set?
Next, examine the current tools and procedures you’re using to protect the data. Ask the most basic questions: Are all the data sets you identified protected? Are they all equally protected—and should they be? Where are there gaps in the tools, data, and systems you’re protecting? How are you ensuring controls are consistently applied across your entire infrastructure? Have controls been extended to all endpoints, including those that are difficult to see and manage (mobile devices, the internet of things)?
Then, consider that you’ve done all this evaluation, but your environment isn’t static. In fact, it’s likely changed while you’ve been doing your analysis, especially considering the dynamic nature of the cloud. How can you track and manage these changes, especially given the self-service nature of the cloud, where new services are available, often for free, to anyone who signs up?
It should be obvious there are no easy answers to these questions, no single solution that can be purchased and applied to every system belonging to every enterprise. Instead, work with a trusted partner like Prescient Solutions, who can devise a customize, comprehensive cybersecurity strategy covering data in the cloud, in the data center, and wherever your data is accessed. Contact us to learn more about how Prescient Solutions can help you design and implement your cloud security solution.