By Doug Lane, Vice President/Product Marketing, Vaultive
With 2017 behind us, it’s time to prepare your IT strategy and goals for the new year. There is a good chance that, if you aren’t using the cloud already, there’s a cloud services migration in store for your organization this year. No matter where you are on your cloud adoption timeline, here are three steps IT security teams and business leaders can take today to kick-off 2018 with a strong cloud security position:
It’s critical to understand what data your company is collecting from customers, prospects, and employees and how it’s being processed by your organization. Mapping out how sensitive information flows through your organization today will give you a clear idea of where to focus your security efforts and investments. It also gives you the opportunity to delete data or processes that may be redundant or no longer necessary, which will reduce your overall risk and save resources long-term.
Secure Sensitive Data and Materials
Once you’ve identified potentially sensitive information and the services processing it, there are several measures you can put in place protect data. Some of the most common and effective controls include:
- Encryption: The first option for protecting sensitive information is to encrypt data before it ever flows out of your environment and into the cloud. While many cloud providers offer encryption using bring your own key (BYOK) features, the provider will still require access to the key in some form, continuing to put your data at risk for insider threats and blind subpoenas. Organizations that choose to encrypt cloud data should seek a solution; even it means approaching a third-party, that allows them sole control and access to the encryption keys.
- Data Loss Protection (DLP): Another common data protection measure includes implementing DLP in your environment. By inspecting cloud computing activities and detecting the transmission of certain types of information, an organization can prevent them from ever being stored in the cloud. This approach ensures sensitive data, particularly personally identifiable information (PII), never leaves the premises or your IT security team’s control.
- Privilege & Access Control: While many organizations have used privilege management and access control as a practical on-premises security strategy for years, few have applied them to their cloud environments. In many cloud services, administrator roles can mean unlimited access and functionality. In addition to severely increased risk if an administrator goes rogue, this can lead to downtime and critical configuration errors in a few clicks. IT teams should seek to limit user access and functionality within a cloud service to only what they need to be productive.
Supplementary to limiting access based on user identity, IT teams should also consider blocking activity or requiring additional approval in certain contexts, such when a user logs in from an odd or new location, an out of date browser is detected, or a highly sensitive transaction is executed (e.g., bulk export of files).
- Enforce Two-Factor & Step-Up Authentication: Even if user access and privileges are limited in scope, an unauthorized party making use of compromised credentials is still a risk. It’s important to have an additional layer of security in place to ensure the user at the endpoint is genuinely who their credentials claim them to be. Configuring your cloud services to require re-authentication or step-up authentication with your preferred identity and access management (IAM) vendor based on criteria you select is an effective strategy.
Prepare a Breach Notification Plan
Finally, while many companies last year, such has Yahoo and Equifax, opted for an extended period of silence to investigate and strategize how they would communicate a detected breach, the public and regulators are quickly losing patience for this sort of behavior from companies. In fact, new regulations such as the EU General Data Protection Regulation are now placing requirements and time limits around data breach notifications with hefty penalties for non-compliance.
Though a strong security strategy can reduce the risk of a significant data breach, businesses should have a plan of action if the worst should happen. Identify who in your organization should be notified and sketch out a general response.
Let’s make 2018 the year we’re accountable and prepared when it comes to data privacy and security in the cloud.