What steps do organizations need to take when securing data in the Cloud?
The Cloud is digital storage that is physically secured and stored on big servers owned by big companies and made accessible through the internet. These big companies are connected with other computer networking equipment throughout the world. Does this sound too big to secure? Experts say there’s no time like today to understand where your data is stored and how it’s secured.
Today on the “The Lee Show”, Forensic Expert, Lee, and his guest John Blair who is cyber governance and information technology expert, explores the complexities of cloud-based security and storage. John suggests starting with obtaining a holistic inventory of your organization’s data and most of all be aware that some employees bring their own applications and use their own personal device to store organizational data. Check out this video on securing data in the cloud to learn more about cloud storage and cyber risk.
Part 1 of our 2-Part Series on the Securing Data in the Cloud
The Video Transcripts on Securing Data in the Cloud follows
Lee Neubecker: Hi, I’m here today with John Blair. John is a cyber governance and information technology expert. He’s on the show here today with me to talk a little bit about securing your data in the cloud. Thanks for being on the show again, John.
John Blair: Hi Lee, good to be back, thank you.
LN: So we’re talking about cloud cyber risk. What do organizations need to be looking at to help secure their data in the cloud?
JB: I think first and foremost, you need to understand where is all the data and how do people get data in and out of their environment? There’s a lot of things typically called Shadow IT, where certain departments or certain users might you know, for example, start sending things to Dropbox to sync data amongst themselves to make it easier for themselves. But they might be syncing confidential information that’s not on Dropbox and the organization has no idea about it. You know, that scenario plays itself out over and over and over again, where there might be departments that actually use applications in the cloud that thus obviously, are processing data as well that the organization might not know about either. So you need to get an inventory of data. Where is it from a holistic point of view?
LN: And today you have the Bring Your Own Cloud, BYOC,
LN: Many employees are bringing various apps with them that they’re used to using from their prior employers, and they’re wanting to use these apps. Sometimes they’re putting them on their smartphones and whatnot.
JB: And that’s driving a lot of the corporate action towards that. The cloud for first and foremost is a cost-savings for the most part. But what people are not realizing is that along with those savings comes certain responsibilities. And, from a user perspective, you know, people are used to as you said, people are used to certain applications, they’re used to certain things on their phone, or on a tablet or they’re used to working in a certain way with certain applications. And then you get in a corporate environment and those applications or that way of working might not be available. And so people start voicing that, and it becomes, you know, somewhat of a problem for corporate to adapt and keep up.
LN: So organizations, especially healthcare-related organizations, as well as financial services and other organizations that depend on intellectual property have a real risk here, don’t they with people bringing apps?
JB: They have a very big risk. Both of those sectors are heavily regulated. Data needs to be very tightly controlled. Breach notifications in the event that it happens become a very big deal, very public. And if you can’t explain where the date is, and where you know, who has it, then you have a problem.
LN: So isn’t there also risk not only faster dissemination of intellectual property and trade secrets, but what if the information becomes compromised by malware or a hacker to morph the data or destroy the data?
JB: Yeah, your only recourse at that point is to have really, really good backups. Because otherwise, you have no actionable direction to take. If you don’t have a backup of that data, you know, you have no ability to recover. It still might be considered a breach, a lot of times, and certain organizations or certain regulations. So you still might have to report it, even though the data has never left your organization, the fact you’ve lost control of it might be considered a breach. So that might be something you’d have to consider with your legal teams. But it’s not, it’s still a very big deal because you no longer are able to use it.
LN: So don’t you have a risk though, that if your backup is online, that the attacker could compromise your primary source and then your backup drive attached to your server?
JB: Well, hopefully, they haven’t gotten that far. But if generally speaking, your backups are always in the separate physical location, and not necessarily on the network.
LN: So you rotate them?
JB: and they’re separate, you know, media and things like that, but yeah, if you’ve gotten to the point where they’ve corrupted your database, they’ve encrypted your database, and they’ve also encrypted or destroyed your backups, you’re, in a very bad way.
LN: So knowing that hard drives sometimes fail, if you’re using a physical hard drive to write the data to, what do you think most organizations should be doing to ensure they have a certain number of versions that they can restore to?
JB: Well, normally backup systems are version controlled and so you do backups based on frequency. You do daily, you do hourly, you do you know, on the spot, so there point in time, a lot of times where there’s a lot of people, organizations, that can afford it have failover data centers, for example, that are mimicking the primary data center. So there is no loss of processing. but that’s very, very expensive to do. But yeah, you should definitely have you know, off-site storage of data. But those are all historical, and things that are not necessarily online that you can immediately refer to those lesser compromised to your point. LN: So when you’re considering bringing in a cloud provider to your organization, is it an official, non-shadow ware operation? What are some of the questions you ask of your vendors and things that you look for to help secure, ensuring those cloud providers are secure?
JB: Right. First and foremost, do they have some sort of testations with respect to the services you’re going to use for that provider? Cloud providers have hundreds and hundreds of services, not all of them are audited by an independent auditor, not that that guarantees anything, but at least if it’s the services you’re going to use or the applications you’re going to use. or the locations you’re going to use with that cloud provider, then you have something to point to say, you know, we did our due diligence, and they have these SOC 2’s or whatever form it might take. But you have to do something on them to ensure that, because the cloud is half their responsibility and half of yours, and you have to make sure they’re doing their half.
LN: So what other things do you think that organization should look for if they’re using data in the cloud, how to maximize the security of that data?
JB: First and foremost, I think they need to within their own organization, block these drop boxes and the Google drives and all that sort of stuff like that, so that people individually can’t make you know, downloads for example, from the database and then upload it to Dropbox or Google Drive or whatever, and then go home and look at the same documents. You know, from a personal perspective, that’s very convenient, it’s very nice to have to be able to sync and you know, you can use one, one central source of the information, but from a corporate perspective, that isn’t your data. It’s a corporation’s data. And so, you know, the corporation needs to be responsible and know where that data is going, and how to prevent it ideally, from getting there. It’s very easy to drop, you know, to block Dropbox at a network level, you know, but the problem is that there are hundreds of those types of things to block. And so you know, you need to do a lot more care from a corporate perspective internally to make sure that your users aren’t putting data someplace where you lose control of it.
LN: And are there any, any other things that you’d recommend adopting if you’re going to use these cloud platforms to help ensure that hackers don’t get access to user accounts?
JB: That’s an interesting one because as yours been, you know, almost all those user accounts have been hacked at one point or another. And so the only thing protecting me at this point is a password. I think multi factors in you know, bio authentication type of actions are the only thing you can do to improve your chances of those accounts not being used by inappropriate people. Because the accounts themselves are basically public knowledge, you know. Your, you know, your username is public knowledge, the only thing protecting it is a password.
LN: And so, you know, the multi-factor authentication actually addresses and requires that you have to have three factors. Something you know, something you are, or something you have.
LN: So, for instance, many people know their password. They might have a thumbprint or they might have their cell phone.
LN: That is something that they have. So you know, having that second factor makes it less likely that someone can simply get the password and get in.
JB: Right, where they send like to your point the phone, they send a code to your phone, you enter the code into the application–
JB: And then you gain access. Until then you’re simply at the network border.
LN: So on our next video, we’re going to be talking a little bit more about, again about the cloud, cyber risk security and specifically we’ll talk about some of the legal and compliance issues that arise. Thanks for being on the show.
JB: Thanks, Lee. My pleasure.
Other related articles about securing data
National Institute of Standards and Technology on Securing Data in the Cloud
Academia Data Governance Information