Regardless of whether your organisation jumped into cloud enthusiastically, or is being dragged in against its own policies, we are all in the cloud – and we are only going to get more involved. To talk about preventing data loss seems to misunderstand that today we aren’t holding the data in the first place. It is in constant movement between multiple services, hosted in disparate geographical jurisdictions, being used and analysed by multiple parties both within the organisation and among partners, and potentially even informing third party machine learning systems. Too many of us are trying to solve cloud security issues with appliances designed for a very different world, and we need to think differently about the problem. Think: bodyguards rather than burglar alarms.
Here are four simple steps to elevate your Data Loss Prevention into Data Protection for the cloud.
- Keeping up to date is not an option, but realise that your in-house team cannot be expected to do this alone. It can easily take four days to assess a cloud service; investigating security protocols and compatibility with your own compliance requirements. With the average enterprise using over 1,200 cloud applications it would take 13 years in workforce-hours to assess and black or whitelist these manually. And of course, cloud service providers can, overnight, change the security protocols you just spent days evaluating. It is becoming essential for in-house teams to partner with specialist service providers who can continually assess and score cloud services.
- Protect data without just blocking. Black and whitelists always were pretty crude, but they can become a liability when used for cloud services. Just because your specialist service provider has reassured you that Box is enterprise ready, it doesn’t mean you want employees uploading enterprise data to personal Box accounts. You need to consider that individuals may have multiple accounts with cloud service providers – both personal and professional – and you will need to consider how you are going to track and impose Data Protection policies that differentiate between different accounts.
- Protect mobile and remote data. An ever-increasing percentage of cloud service access currently comes from mobile devices so many organisations will need to define different cloud security policies for corporate vs personal devices, or network connections, or take decisions based on location. For heuristic controls, todays organisation must consider the device, identity, application, activity and the data to more accurately apply dynamic security controls that create less friction to the business.
- Protect data across SaaS, IaaS, PaaS and web environments. Cloud service risk and security is about much more than just the SaaS cloud services that tend to creep into organisations as shadow IT. Use of IaaS solutions like Amazon Web Services, Google Cloud Platform, Microsoft Azure are exploding as DevOps teams are creating applications and services to support strategic goals. It makes no sense to have to manage Data Protection policies individually for each IaaS, PaaS, or even to manage SaaS and web policies separately. Fit-for-purpose Data Protection should allow an organisation to design granular policies at a user, device or activity-level, that can be easily applied and managed across all platforms, including Amazon S3, Microsoft Azure Blob storage, Workplace by Facebook, and web services.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.