Maintaining data security in clouds is becoming more challenging. Discover how organizations’ best practices and security tools may help.
It is becoming more common that cloud security failures occur due to organizations’ faults. A regulatory tendency to place the onus of securing personal data squarely on the shoulders of the data owner (e.g the entity that collects data) accelerates this trend. So, being liable for data security breaches, organizations as the main data owners must take responsibility to ensure that they have suitable security and compliance measures in place.
Lack of clear understanding of what security measures the organizations must implement often results in devastating outcomes. Oracle provides several examples of organizations’ failures to maintain their area of the shared responsibility model and the outcomes of such a lapse.
Financial losses are always painful, especially when occurred as a result of the organization’s failure. An interesting incident occurred in 2019 when one manufacturing enterprise decided to migrate its internal applications to AWS. Shortly, a disgruntled employee launched multiple AWS instances before resigning. The incident was detected only after the enterprise received a hefty bill from Amazon. The incident happened because the organization failed to maintain its obligations of the shared responsibility model. Namely, it lacked a reliable system to detect and alert of unusual activity. Simply checking the AWS billing dashboard would’ve helped significantly reduce the losses. The total amount of financial losses was not disclosed, but it is estimated to reach millions of US dollars.
Ceasing operation is even more severe prospective than suffering financial losses. Such an outcome occurred in 2018 when a hacker gained access to the cloud credentials of one hosting company. Applying a phishing attack against a privileged user, hackers then demanded a ransom in return for control of the cloud environment. This incident happened because the organization failed to provide sufficient security measures to prevent the initial phishing attack and had no automated tools to detect suspicious behavior in the cloud. After an attempt to regain control of the cloud by the organization, the hacker deleted all data stored in it. Due to the severity of the attack, the enterprise had nothing to be done other than ceasing operations within days.
Steep fines are the next painful outcome that organizations may experience due to their ignorance to maintain their part of the shared responsibility model. In 2019, a healthcare provider adopted cloud service but failed to set appropriate configurations. As a result, the organization’s email solutions bypassed the check to ensure that the personal health information (PHI) of their clients is not transmitted externally. As it appeared later, the healthcare provider lacked automatic alerts to notify when critical configuration settings changed. Such a big failure resulted in a fine estimated at US$1.5 million.
The AWS summarised such failures into three major problem areas that are common to businesses across different industries:
Configuration management – missed security settings that generally result in errors such as unrestricted access permissions, inadvertent public access, and unencrypted records.
Monitoring & oversight – inadequate oversight of vendor-provided storage and systems.
Data protection – insufficient data classification procedures and policies.
Cloud providers offer a wide range of tools and services. These services are necessary for maintaining the shared responsibility model for data protection. Furthermore, they are very helpful for reducing organizations’ security risks. These tools and services may vary across cloud providers but most of them are categorized regarding the above problem areas and involve access analysis, security checks, encryption, configuration compliance and checks, sensitive data discovery, and alerts.
Cloud providers offer several tools and services to monitor, detect, and remediate misconfigurations.
Access analysis – a service that identifies trails to access organizations’ resources from outside its cloud account. Besides this, providers’ access analyzers identify resources that can be accessed, analyze access permissions, and monitor for new policies and updates.
Actionable security checks – means posting security advisories that should be regularly reviewed and addressed. As uncontrolled access accelerates malicious activity, such service examines bucket permissions that may create potential security vulnerabilities by allowing anyone to add, modify, or remove items. Finally, cloud providers also check the network security groups for rules that give unrestricted access to cloud-based assets.
Encryption – ability to automatically control the encryption of the cloud-based data by offering centralized control over the encryption keys.
To avoid oversights in data storage, cloud service providers offer tools and services for continuous monitoring and regular assessment of control environment changes and compliance.
Configuration compliance monitoring – means helping to assess how well the organization’s resource configurations align with internal practices, guidelines, and regulations. Configuration monitoring helps evaluate the configuration settings, detect and remediate violations in the rules, and flag non-compliances. This service helps demonstrate compliance against internal policies for data and activities that require frequent audits.
Automated compliance checks – this tool allows reducing the effort in managing the security and compliance of organizations’ workloads and cloud accounts. It helps maintain compliance with automated checks by running continuous account and configuration checks against major rules in the supported industry.
Security and compliance reports – on-demand access to security and compliance reports such as Payment Card Industry (PCI) or Service Organization Control (SOC) as well as to operating effectiveness of providers’ security controls.
To support the appropriate level of security, organizations are encouraged to classify their data.
Storage access control – tools that help ensure that specific data stored in the cloud-based environment does not have public permissions. Such kinds of tools are a good second layer of protection that ensures that the organization does not inadvertently grant access to objects.
Sensitive data discovery – some tools allow discovering, classifying, and protecting sensitive data like personally identifiable information (PII) stored in cloud-based environments. These tools typically scan storage for sensitive data but some cloud providers also include continuous monitoring of configurations across all accounts within the corporate cloud environment and alerts to any suspicious activities.
Intrusion detection – these services are designed to raise alarms when someone is scanning for potentially vulnerable systems or moving unusually large amounts of data to or from unexpected places.
Organizations must be responsible for putting in place and enforcing policies for cloud data ownership. At a basic level, organizations must develop their data governance programs to properly classify their data and be able to implement and monitor the appropriate security measures regarding the different levels of data sensitivity.
Organizations that use cloud services are responsible for the security of the software they run in the cloud. Patching is among the pillars of security for on-premises and cloud-based environments.
While operating in the cloud environment, monitoring network activity is not always feasible. Instead, the main security focus must shift to the assets that are running in the cloud and the processes used to deploy and manage them. To this end, many organizations build security into apps at the design and coding stages.
Cloud operations require substantially more complex identity and access management (IAM) than for on-premises environments. To help organizations handle IAM, cloud providers often suggest best practice guidelines, tools, and services. Organizations are free to decide how (and whether) to use them effectively.
Real-time configuration management enables organizations to check systems and services for misconfigurations that may lead to vulnerabilities. Moving to the cloud, organizations must deploy special cloud security solutions that would automatically alert about critical configuration changes. The organization’s oversight of doing this may result in data breaches.
To sum up, liability for cloud security failures prompts organizations to look for new tools and implement best practices for reducing data-related risks. This, in turn, increases the importance of cooperation between organizations and their cloud providers. Such a tandem can greatly assure the security of cloud-based data because it not only allows maintaining borders of responsibility but also generates new tools and approaches to cloud security.
Keep reading our blog and contact us if you need help addressing data security concerns.