Blog LBMC

Print Divider Print Divider Branding
 

Avoid Data Security Risks in the Cloud

05/07/2017  |  By: Sese Bennett, CISSP, CISM, QSA, ITIL, HITRUST CSF, Senior Manager, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

Just like a real cloud in the sky, the cloud that is hovering over the IT world can be a thing of beauty. It offers easy access to data from anywhere, quick setup and scalability.

But just like the real thing, the cloud can also produce a lot of rain in the form of data breaches and other unforeseen business disruptions. Most IT decision-makers are extremely anxious about data security issues stemming from use of cloud computing.

Cloud service providers who have had service disruptions that in some cases may have involved data security incidents include some of the biggest names in the business, including Google, Amazon, Microsoft, Oracle and Intuit.

What Should IT Decision Makers Be Concerned About

Transparency often is low. While software as a service (SaaS) makes it easy to access business applications and relieves companies of running software on their own servers, it carries risks as well. 

  • Do you know where your SaaS provider keeps your data or what security measures it employs?

Data centers can be anywhere.

  • Would you feel secure if you knew that your sensitive data was sitting on a server in China?
  • Would local law enforcement be responsive if there were a breach?
  • Would U.S. law enforcement have any influence or be able to gain cooperation with local authorities?

Encryption often is not utilized. If properly implemented, encryption can greatly limit the damage from a data breach because the information is not usable for the intruder.

Data is stored on shared infrastructure.

  • Are there strong enough barriers between your company's information and that of another organization located on the same server?

Service hijacking. Many organizations share cloud accounts among several users in the company.

  • What happens if one of those employees leaves?
  • Can he or she still gain access?

What Can IT Decision Makers Do To Protect Their Company

  • Know where your data lives. Every organization must be able to clearly identify the flow of its data with all third parties that come in contact with it.
  • Use strong authentication for access to the cloud service. Multi-factor authentication is best, which means that a password alone is not sufficient. Another form of identification is required, such as a fingerprint, a token (a physical device that generates a code that is entered on the machine) or the answer to a secret question.
  • Have a good understanding of the cloud service provider's control environment. Their controls must align with your own. For example, how do they vet their employees? Who potentially can have access to your information?
  • Gain assurance about the risk security provisions taken by your provider. This can be accomplished in several ways, including obtaining Service Organization Control (SOC) reports or conducting on-site assessments based upon the risk of the Cloud service provider to your organization.
  • Encrypt data whenever possible. Encryption, when done well, will cover a lot of security sins.

Sese Bennett is a senior manager in the Information Security practice at LBMC, one of the largest professional services firms based in Tennessee. Contact him at sbennett@lbmc.com or 615-309-2420. LBMC is a FedRAMP Third Party Assessment Organization (3PAO).

Featured in The Tennessean.