This blog is an excerpt of an article that is currently available on InfoSec Island
Industries such as healthcare, IT services, education, and retail, where computing has not been traditionally at the core of the value proposition, understand that they must embrace cloud-computing solutions to reach and retain customers.
This trend is being driven by the consumer habits of millennials, the fastest growing consumer demographic in the world, which prefers the ease of accessibility, convenience and efficiency offered by the digital world. The Millennial Disruption Index points out, for example, that these millennial preferences are transforming banking. This is reflected in the rise of FinTech companies. The health industry too has embraced digitization in many forms including electronic health records (EHRs), home monitoring systems and wearables.
Unfortunately, the importance of security to protect cloud data has been somewhat ignored. Companies tend to underestimate risk and recovery costs after a cyber attack. Using ill-suited security solutions can hinder the productivity of a company’s business-critical tasks. Additionally, cloud security still lacks global standards, which can hinder interoperability between private and public clouds.
The Cloud Stampede
Staying relevant and staying close to customers – especially millennials – in the rapidly changing marketplace is one of the biggest challenges for businesses today. Collecting massive amounts of data on consumer behavior, and mining actionable insights that can help steer the direction of and optimize marketing strategies for different market segments. But big data analytics requires massive storage, network, and computing capabilities with fluctuating demands; capital expenditures to house these capabilities are enormous, and predicting and therefore managing the maximum demand to keep up with customers can be impractical. On the other hand, cloud computing offers scalability while significantly reducing operational costs. This has forced a stampede of companies quickly migrating to the cloud.
But a lack of solid and proven security mechanisms instigated an ever-increasing rate of data breaches. The average cost to remediate data breaches in 2015 was estimated to be a whopping $3.8 million. Additionally, victim companies are subjected to severe public censure, resulting in a harmful brand reputation, costly downtime before full recovery, and expensive lawsuits. Recent security breaches, such as those at Target, Ashley Madison, Anthem and many more, serve as a wake-up call to companies who have been insouciant about the importance of cloud security. In fact, security moved to the number one spot on every CIO’s must-do list in the recent survey conducted by National Association of State Chief Information Officers (NASCIO).
Cloud Security, a major concern against Cloud Adoption
Data security and privacy is a common preeminent concern that deters businesses from migrating to the cloud. Storing data on the cloud would mean lack of visibility into how the data is managed, thereby presenting multiple cloud-specific risks.
- User access control: Identity theft is a major threat vector for most data breaches till date. Managing access control is not as easy on the cloud as it is on premise. Cloud providers themselves might have some level of access to the data, which further exacerbates the risk.
- Integrated security solutions: Cloud security needs to be achieved through a host of solutions for various issues, such as data protection, identity management, malware detection, and antivirus. Integrating security across the service, from authentication to activity monitoring, is technically challenging, and not all cloud providers would offer state-of-the-art integration.
- Data separation: The very model of public cloud implies that the cloud storage and services will be shared. Techniques such as encryption is necessary to prevent unauthorized access. Cloud provider’s data separation policies may not be strong enough to store sensitive data.
- Compliance: Cloud security issues go beyond data protection. Cloud adoption must be considered while ensuring regulatory and policy compliance. For instance, healthcare providers are bound by HIPAA regulations and financial service providers are required to comply with Payment Card Industry Data Security Standard (PCI DSS). Without autonomous control over cloud data, generating reliable audit trails to demonstrate compliance can be challenging. Furthermore, cloud service providers may not provide a well-defined offering through Service Level Agreements (SLAs) detailing their security measures.
How organizations are dealing with the challenges?
Lack of cloud security standardization has resulted in multiple solutions available in the market. Today, companies pick and choose solutions per their requirements and budgets at various stages of cloud migration.
- Even before businesses migrate to the cloud, companies need cloud security mechanisms, due to the phenomenon called Shadow IT. With a plethora of IT service tools available through cloud services (for file sharing and collaboration) today’s tech-savvy IT employees circumvent the company’s traditional restrictions and, without knowledge and approval, use SaaS and PaaS tools for increased convenience and efficiency. This creates difficulty and opacity in tracking business data, creating high security risks. Companies such as Skyhigh Networks, Netskope, and Bitglass sell cloud security tools that help track and protect business data despite Shadow IT. Companies can also protect business data by encrypting and tokenizing it at the business gateway by using specialized tools offered by companies such as CipherCloud and Vaultive; crucially, the decryption keys are indeed stored on-premise within the business network. DocTrackr allows you to track crucial documents even after the documents are sent out of the company network; it allows to set access privileges to the extent that one can even “unshare” the document.
- In the process of moving to the cloud, one needs to design products with security baked in; security by design is much easier than patching for security after the product has been designed. Tools are available to understand current threat information so as to prepare against it from the get go. One can also detect coding vulnerabilities even before going live using tools from companies such as White Hat Security.
- After moving to the cloud, the major threat vector — human elements/endpoints — needs to be protected in multiple ways. Identity management — not only for employees that access data on the backend but also for forward-facing elements such as partners and clients — is thus a crucial aspect. A host of companies, such as Okta, RSA, and Centrify offer solutions with desirable features such as single sign-on across multiple cloud products and services used by the company. Furthermore, one can even employ fine-grained access control with central privilege provisioning on a single dashboard with these tools. To further protect employees from social-engineering attacks, ProofPoint offers tools to detect, block, and respond to email and social-media based threats.
- While storing and analyzing customer data on the cloud, one needs to employ security mechanisms to protect customers’ privacy even in case of data breaches. The idea is to keep the data encrypted not only at rest and transit, but also during computation. Microsoft’s SQL server and PARC’s Privacy-preserving Analytics (PPA) platform provide security to sensitive data on the cloud even when the data is being analyzed.
Thanks to digital preferences of millennials, increased digitization and cloudification will drive the demand for cloud security products and services. Ease of access and the other benefits brought about by digitization, coupled with a better sense of security brought about by innovation and adoption of strong cloud-security defense mechanisms will make the world a better place.
Vanishree Rao is a Security and Applied Cryptology researcher at PARC