It has not yet reached epic proportions, but the number of organizations adopting cloud-based technologies is growing dramatically. Organizations of all sizes across industries are turning towards cloud-based infrastructure and cloud computing for better scalability, accessibility and a collaborative work environment. However, after moving to the cloud, many organizations mistakenly assume that it is the role of the cloud service provider (CSP) to secure data and ensure compliance.
Even though the CSP may provide services for protecting data, organizations must understand the fact that virtual environments are not always fully secure and that they—organizations—too have a role in protecting the security and privacy of their data. Remember, the liability to notify those affected and remediate damages is on you should your company suffer a data breach!
Knowing the levels of responsibility does matter
When it comes to choosing between cloud infrastructure and cloud computing, companies must make the decision backed by a plan to implement the right security solution. The solution should effectively address issues such as securing data, managing risk related to unauthorized access and meeting compliance and regulatory requirements. Remember, the cloud is subject to the same threats as a data center. Whether cloud or on-premise, organizations have to deal with human error, malicious breaches from internal and external sources, as well as system glitches. The massive amounts of data located on shared cloud servers always entice criminals. Things get a lot more complicated when a multitude of mobile devices are used in organizations.
With the increased sophistication of threats, cloud security is becoming even more dynamic as it evolves. Organizations continue to be responsible for security, privacy and compliance even when under different cloud service models. The need for consistent policies, password rules, and specialized data encryption methods has never been greater. Both the organization and the CSP have roles that vary in scope, but then both also have different levels of responsibility that encompass the entire gamut of operations—from data classification, endpoint protection, identity and access management, application and network level controls, to host and physical security.
There are clear boundaries defined and responsibilities identified for organizations and CSPs. For instance, in both on-premise and cloud models, the organization is responsible for ensuring that the data is classified and encrypted in compliance with the regulatory obligations. In the case of endpoint devices, CSPs may facilitate the management of these devices by providing secure device management, mobile application management, and PC management capabilities; however, the responsibility of implementing the security solution again lies with the customer organization.
Who is responsible for a breach?
There is no question about who is responsible when a breach occurs. For businesses, the vital consideration in securing the infrastructure and data relates to where the CSP’s responsibility ends and the organization begins so that a breach does not occur in the first place. This means that while the provider is responsible for protecting the hardware, software, physical facilities and other aspects involved with running the cloud services provided, businesses maintain control over a number of key security measures.
Some key security measures for businesses include:
- Network configuration and security (such as firewalls)
- Data Security (including encryption)
- The use of third-party security tools such as encryption key management software
- Determining the type of content and data to store in the cloud
- Access control and management
Making life simple with encryption
There is abundant evidence to show the difference that encryption makes in containing the volume of loss and associated costs when a breach occurs. In fact, according to a study, extensive use of encryption is the second most impactful factor that can limit the costs of a data breach. Despite all pointers that emphasize its advantages, usage of encryption is limited in many businesses across industries. Although the adoption of encryption has increased over the last decade, only a mere 37 percent of businesses employ it as a cloud security strategy.
Remember, encryption is the important first step for businesses that wish to take control of the ownership of data; better encryption key management follows next.
While encryption renders data into a format that can only be read by authorized users, it does not make a powerful strategic tool if not combined with effective key management. Far too often, companies follow a laissez-faire approach to key management, which makes its utilization needlessly complex and cumbersome. Problems do get out of hand when there is no clear ownership of keys within the organization, when no skilled personnel is in charge of the keys, or when a siloed approach is followed for key management.
Having an effective encryption and key management solution is vital to the success of any security strategy. Data encryption, when executed properly, ensures the protection of sensitive information. Although there are many myths surrounding data encryption (too expensive, too difficult to manage, etc), the surprising truth is that it is indispensable. In fact, encryption provides the foundational framework to any data security protection strategy.
There are security options out there to help organizations in:
- Encrypting and managing data stored on virtual machines and Infrastructure-as-a-Service (IaaS) platforms.
- Encrypting files at the endpoint before they are synchronized to enterprise file sync and share (EFSS) services across a range of enterprise platforms.
- Managing encryption keys across the enterprise
Whether data is stored in public, private, or hybrid cloud environments, organizations need a robust solution to ensure full control of encryption and its keys. Much of the encryption related problems can be alleviated with the adoption of file encryption software such as WinMagic SecureDoc CloudSync, an application that encrypts data even before it leaves the network, and SecureDoc CloudVM, an intelligent key management system that encrypts virtual machines and removes encryption keys at the conclusion of each virtual instance.
By using a single platform, such as SecureDoc Enterprise, an organization can ensure the implementation of a unified encryption strategy across any endpoint, provide a virtualized or cloud environment with increased enterprise security, ensure encryption compliance, and reduce complexities of risk management and audits.