Cloud Hosting

Increasingly, companies are moving their data and processing to cloud services. Its easy for this out-of-sight data to be out of mind when it comes to security, but if anything, it should be top of mind because it's even more exposed than is on-premises data. With regulators issuing record finesfor privacy violations, developers need to make sure they secure their data in the cloud.

Fines for privacy violations will only increase in 2020. In 2019, after one year of General Data Protection Regulation (GDPR) enforcement in the European Union, there were over 59,000 personal data breach notifications across Europe, along with 91 reported fines. Frances National Data Protection Commission fined Google $57 million for improper processing of personal data for advertising purposes. With more violations occurring with respect to data stored in the cloud, data owners, developers, and CISOs need to focus on cloud data security.

In July, the Information Commissioners Office of the United Kingdom announced that a large European airlinewould be fined 1.5%of its 2017 revenue, or $230 million, for allowing attackers to modify its website, scraping personal and financial details using a malicious JavaScript component.

While we can never know how much reach the attackers had on the airlines servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets, stated a RiskQ analysis of the issue.

Such data breach fines are only increasing. The EUs GDPR allows fines of up to 4% of revenue perviolation.California Consumer Privacy Act (CCPA) fines companies that fail to protect their users data can be fined up to $2,500 per violationand $7,500 per willful violationper individual whose data wasbreached. And fines under the Payment Card Industry Data Security Standard (PCI DSS) will likely rise as well.

Traditionally, having data stored locally meant attackers had to compromise the corporate network before gaining access. While the past reminds us that this has occurred all too often, at least that network was under local control and monitoring. Services on demand allow attackers to access sensitive data if they can bypass cloud access securitywhich is typically under the control of the cloud provider, and opaque to the enterprise.

The upside of the cloud is flexibility. The downside is that data security must be part of the equation from the start. Here are three recommendations for security and development teams.

[ GDPR, CCPA and privacy. TechBeacon'snew guide rounds up what your team needs to know. Plus: Get the Best Practices for GDPR and CCPA Compliance white paper. ]

Using cloud services does not mean that the cloud provider will take responsibility for your data; you share responsibility with the provider. Under thisshared responsibility model, cloud providersensure that the hardware and software services they offer are secure, and you're responsible for the security of your data assets.

Fulfilling your responsibilities can be more difficult with cloud services. While cloud providers offerbetter security, they also provide clients with less insight into the security of their systems, so you often lose visibility when you hand over infrastructure operations.

Security and DevOps teams need to know exactly what their responsibilities are when developing and hosting applications built on top of cloud infrastructure.

Not only developers, but also data owners and security functions need to understand the types of data they are collecting and the requirements for its storage.

One example of this is collecting data from users in nations that require the data to be stored in the same locale. All Russian users data must stay in that country; health data on Australian citizens must be stored in data centers in Australia; China, Germany, Turkey, Belgium, Brazil, and South Korea have also enacted must stay regulations for data. Such regulations do not preclude companies from using cloud infrastructure, but IT leaders and developers must understand these requirements and be careful where they spin up their cloud servers.

Another example is creation of the secrets used to protect the datafrom API keys to encryption keys to passwords for cloud resources. These keys should be managed in-house or on different cloud services, and not by the same cloud provider used to host the infrastructure and data.

[ Make sure that only the right people have access to the right things at the right times with TechBeacon's guide to identity governance. Plus: Download the report on IGA leaders. ]

The cloud provider has some level of access to your data. This presents different security problems than you'd see with local infrastructure. With on-premises servers and software, your main worries are availability and insider threats. With cloud infrastructure providers, the provider or by a third party might access the datawith little opportunity for you to detect it.

Applying per-field format-preserving data protection can dramatically limit the impact of insider threats, whether from employees or rogue cloud administrators. Format-preserving encryption and tokenization protect the information while, in many cases, still allowing normal functionalitysuch as searchesto occur without ever requiring clear text.

As enterprises move to the cloud, security risks to sensitive and regulated data increase. However, cloud security issues are often not well understood by developers. By understanding their responsibilities, knowing what data is being collected, and applying security to the datanot just the systemyou'llbe assured that your data in the cloud isas safe as on premises, and that it will flow safely throughout your hybrid IT environments.

[ Explore TechBeacon's guideto SecOpschallenges and opportunities. Plus: Downloadthe 2019 State of Security Operations report. ]

View post:
Data security and the cloud: 3 things your team needs to know - TechBeacon