Ah, the cloud. Your company probably uses it but do you really know what it is? And do you know how to secure it? If you’re struggling with either, or both, of these questions, then this is the blog for you.
What is the cloud?
The cloud refers to servers, services, software and applications that are accessed through an internet connection. There are two primary types of cloud: private and public. Private clouds are used solely by one customer while public clouds are shared by numerous users and organisations.
Because the cloud is inherently bound to the internet, cloud security is a huge issue for organisations and cloud providers alike. To that end, cloud security is all about using solutions, processes and security controls to keep cloud environments secure from data loss, data theft, unauthorized access and malware attacks.
As a cloud customer, you have a responsibility to ensure cloud data security within the SaaS applications you use; things like Slack, Teams and Google Workspace, for example.
Broadly speaking, a solid cloud security strategy will consider:
- Maintaining the security and compliance of data within all cloud applications
- Enforcing the principle of least privilege so that only relevant, authorized users access data and applications
- Enhancing visibility across cloud environments to prevent shadow IT and data leakage
Isn’t the cloud provider responsible for securing the cloud?
It’s super important not to fall into the trap of thinking that your cloud provider takes care of all security requirements for you. Yes, they are responsible for securing the underlying infrastructure, but access controls, data loss and insider threats are all yours to look after. In this way, the cloud works on a shared responsibility model.
Moreover, your network security controls, like firewalls, email DLP and intrusion detection systems, don’t work in the cloud. Because of this, you will need to re-think your approach to data security when considering how to secure your cloud environment.
Should my business use the cloud?
Given the work needed to secure the cloud, you might be tempted to stray away from adopting new SaaS tools. However, this isn’t a good idea for employee productivity and efficiency.
The cloud is the future of business and, already, 90% of organizations use at least one cloud application. When you make use of the cloud, you can uncover a range of benefits including:
- Reduced costs: Because of its pay-as-you-go and as-a-service model, the cloud is generally cheaper than managing on-premises infrastructure.
- Enhanced mobility: Your employees can access cloud applications anywhere and anytime as long as they have an internet connection and the correct login details. This is great for boosting employee productivity and flexibility.
- Better communication: Tools like Slack and Teams are the backbone of employee productivity. With more people working from home, these apps are vital to collaboration.
- Scalable: The cloud is almost limitless. You can scale your resources up and down in line with changing business requirements, which is great for when you go through quieter periods or periods of growth.
- Business continuity: If there was a natural disaster that impacted your on-premises server, your whole business could go down for an infinite amount of time. This won’t happen when your workloads are in the cloud, as your data is stored across numerous locations.
What are the security risks of the cloud?
While the cloud is definitely worth exploring, you also need to be aware of the data security and compliance risks that come from improper management. Note that all of these risks can be mitigated with the use of the correct tools and processes.
Cloud providers tend to roll out applications with default configurations to maximize usability. They want to make it easy for their customers to get started. These default settings are all about efficiency not security.
Accepting default settings, which most companies do, often leaves gaping security gaps that, in the long-term, cause data security issues.
As we’ve noted, under the shared responsibility model, it’s up to your company to make sure that you’ve implemented secure access controls and data protection settings. If you don’t you’ve essentially enabled a cloud misconfiguration.
Unfortunately, implementing secure configurations is pretty tricky. Each cloud application has its own workflow, interface and policies. For even the most experienced security architect, keeping on top of configurations can be overwhelming.
2. Privilege misuse
One of the best things about the cloud is its flexibility. Employees can access cloud services anytime, anywhere from any device. However, this ease of use also has its drawbacks. With so many employees accessing data from all over the place, it’s hard for system administrators to keep track.
Who’s to say that your employee really is who they say they are? What if a hacker steals their details and downloads a wealth of sensitive information, or launches a malware attack? Unless you have the solutions in place to verify your users, you won’t be any the wiser until it’s too late.
3. The insider threat
SaaS applications make it easy for employees to share documents and data seamlessly. However, this means that it’s easier than ever for employees to share the wrong document with the wrong person, either accidentally or on purpose.
Put simply, these apps can often be ‘black boxes’. The IT team has no idea what data is being shared and with whom, making it impossible to conduct compliance audits and ensure that data security requirements are being met.
Cloud security best practices
Now you know the risks to data security in the cloud, it’s time to put in place a proactive strategy to address these vulnerabilities. Here’s what you need to do:
- Implement SaaS DLP
SaaS DLP works by discovering and protecting sensitive data to ensure it is only accessed and edited by authorized users. Using APIs, cloud DLP solutions like ours effortlessly integrate into the cloud and begin scanning for sensitive data.
Our solution can discover both structured and unstructured data across your cloud applications – meaning it can find sensitive information in documents, chats, databases and more.
Once identified, it uses automation and a self-learning engine to take the most sensible, secure steps to safeguard your data as users access it, based on the principles of zero-trust. Actions include redaction, quarantine, blocking and alerting, depending on the threat in question.
As an example, say one of your people attempts to share sensitive data links from the cloud with their personal account. Our solution would automatically redact sensitive data from the document or terminate the share to prevent a data breach while creating an automatic record of the incident for compliance and auditing purposes.
- Use multi-factor authentication
MFA is an easy way to reduce the likelihood of credentials compromise, so definitely enable it for your SaaS applications! Where possible, we advise you to implement single sign-on, which bolsters security without hampering the employee experience.
- Train your users the right way
Too many companies teach compliance through annual away days that rarely have the desired impact. Not only are these sessions often dull, but it’s impossible for your employees to retain lots of hefty information after just one lesson.
By contrast, day-to-day nudges are an excellent way to manipulate people towards better decisions. As your employees work day to day, compliance isn’t always going to be front of mind for them unless you put it front and center. This is where automated feedback loops become essential.
At Polymer, we use in-app nudges that show employees how their actions could result in data security or compliance violations. We make use of end-of-day reports and alerts within popular apps like Slack and Teams, which show employees the risks they have created and why their behavior was unsafe.
By making users feel directly accountable for compliance and security, we help companies to build a culture of trust and privacy. After all, data security cannot just fall on a few individuals in one team. It’s up to every member of the organization to be conscious of following regulations.
Polymer SaaS DLP is changing how security and compliance products are onboarded and used with our next-generation Data Governance and Data Loss Protection for 3rd Party SaaS Applications (Slack, Google Drive, Github, Zendesk, Teams). Find out more about our solution now.