Discover six key steps to prevent data loss within the cloud.
There are good reasons most large enterprises worldwide are quickly adopting the cloud for everything from sales contracts and product specs to videos and overall business operations. The cloud offers flexible, scalable, and cost-effective computing that cuts down IT costs, consolidates data centers, accelerates growth and enables digital transformation. Migration to the cloud has accelerated in the post-pandemic hybrid work world and more recently as companies battle inflation and rising real estate costs.
“Why would you rent a huge building and pay to house all this equipment for scalability and backup purposes?” asks Vito Nozza, principal consultant for C1’s cyber security practice. “You could send it all to the cloud and save money, on so many levels.”
However, one big mistake IT leaders make when they move to the cloud is assuming that cloud providers are securing their data, and subsequently, they believe they can relinquish their responsibility or accountability for it. “That couldn't be further from the truth,” says Nozza.
1. Ensure proper cloud security.
Security and privacy are not limited to the data located on-premises. It applies to all your data in the cloud, too.
IT leaders must keep cloud data confidential and protect its integrity, ensuring no one can change it. A good compliance program can help prevent your data from being altered and keep your data from being compromised. Data should be properly stored, monitored, and encrypted, and your cloud service provider should provide you with the keys to the kingdom so to speak for encrypting, says Nozza.
Cloud providers can house your data, ensure that it remains available to you, but they should not have access to it. Ensure your data is being transferred to the cloud in a secure manner, and when it gets out to the cloud, be sure you’ve locked down who can access that data. This is especially important for confidentiality of data in healthcare, retail credit data and financial services.
The CIA triad (confidentiality, integrity, and availability) is an ideal model for the importance of IT security. “If any of those three elements are missing in your cloud storage, then you failed your data strategy,” says Nozza.
2. Assess your risk.
When migrating to the cloud, leaders would be wise to evaluate their security posture, advises Nozza. This means ensuring that you understand the information you're housing in the cloud and understand your risk tolerance of losing that information. Knowing your company’s ecosystem and the data/information that make it operational viable is key to protecting the right assets.
For instance, C1 uses a risk management program to understand critical assets and the impact of losing those assets. It determines how much data can be lost before it must be backed up. The executive leadership and board members approve that security posture. Smart leaders will ensure their cloud partner has the same security posture as they do - if not better.
Remember, the cloud is an extension of your network, so it’s important to prioritize your data and risks. Understanding what your critical assets are and how to properly protect them is key. Very few companies have a good data classification model, which involves protecting or privatizing the proper assets to ensure continuous operations, says Nozza.
Knowing which assets are critical to your company and which are at a lower priority can help ensure security funds are allocated properly. Too many times, I have seen costly controls being used for data that is essentially…public knowledge.
3. Know your rights with your cloud data.
Ensure that your cloud provider gives you the right to audit your data. Most often they'll allow you to look at some of their audit reports to ensure that they're certified by providing industry specific certification for example HIPAA (healthcare) or PCI-DSS (retail). Most likely a good cloud provider will have SOC2/Type2 and/or SSAE-18 attestation audits available for you to view. Some will allow you to audit your slice of the cloud, but never the entire infrastructure. You can empower your organization by creating a data compliance program, where you determine how critical each dataset is to your organization, whether it’s high, medium, or low. A good data compliance program can be helpful, and if compromised, it can assist in determining who had access to that data.
4. Create protocols to maintain data integrity.
Every organization is charged with keeping data away from prying eyes. That goes for updating identity access management (IAM) in the cloud too. Perhaps an employee had access to certain data, but that employee recently changed positions. Did we ensure that permissions were changed on their profile? Having a proper IAM in place can keep the right people (authenticated) from accessing only their authorized data. A file integrity management (FIM) system is key to data integrity. Even if your employee has access to the data, what actions are being performed? Are they altering the data? Copying it? Downloading the information? What were the requirements for such actions? It’s key to understand that all these integrity measures, which should be present with on-prem data practices, continue with more scrutiny when data has been relinquished to the cloud.
5. Understand relevant privacy regulations.
Privacy regulations have been popping up around the world, and they’re all slightly different. You’ll need to ensure your cloud data adheres to those rules.
Your cloud providers may have data storage sites all over the world, and they may move your data to secure sites that are in violation of privacy laws. In Europe, for instance, the General Data Protection Regulation, or GDPR, requires European customer data to follow certain protocols, ensuring individuals’ data privacy. The California Consumer Privacy Act (CCPA) has similar features and allows consumers to have full access to their data and notification of how it is being used. All this can be tricky if information is scattered across various repositories that violate regulatory requirements. “You need to ensure that your cloud service provider is providing you the information of where your data is being stored, in which locale, region or country. This is important to note, especially when preparing for an audit from a regulatory body,” Nozza says.
6. Create a disaster recovery program.
When it comes to disaster recovery, it’s important to be on the same page as your cloud service provider. A disaster recovery plan often includes something called a recovery time object, which determines a timeframe that your network must be back up and running after a breach or outage. This is a problem if your cloud provider’s backup time differs from your organization’s recovery time.
“This is something you really need to work with your cloud provider on,” says Nozza. “There should be a key word in their service level agreement (SLA) that includes data backup expectations and also ensures you can get access to your data when you need it.”
Your SLA should allow you to backup important data on a predetermined schedule and ensure that when it's needed, it's there and you can retrieve it. Many cloud service providers won't charge too much to house your data, but they will charge more when you want it for a backup purpose. “Make sure all the t's are crossed and i's are dotted in your contracts,” says Nozza.
In the end, migrating to the cloud can save your organization both money and time. But those benefits disappear if your data isn’t secure, private, and available when you want it to ensure operational continuance of your business.