A recent survey by BetterCloud finds that, on average, enterprises are using 80 separate third-party cloud applications to collaborate, communicate, develop, manage contracts and HR functions, authorize signatures and otherwise support business functions that process and store sensitive data. These types of apps are referred to as SaaS (software as a service).
Organizations are also spinning up applications and entire businesses on public platforms (PaaS, or platform as a service) and infrastructures (IaaS, or infrastructure as a service). In 2020, 76% of enterprises ran their applications on Amazon Web Servers (AWS) and 63% ran apps on Microsoft Azure.
These public cloud services are all necessary and productive, and even hold promise of a more secure environment than traditional data centers, says Michael Johnson, advisor to and former CISO of Capital One. However, they also bring unique risks to sensitive data being processed and stored in these clouds, and most of those risks are caused by customer error in the setup and management of those services.
Johnson guided Capital One through a public incident in 2019 that exposed 80 million personal records. In it, the attacker took advantage of a poorly configured third-party cloud environment. Johnson and his team contained the breach and helped get the data thief arrested quickly before any data was exploited thanks to a strong response plan, transparency with the board and executive team, and pre-existing relationships with law enforcement.
Having a response plan that addresses the risks of placing sensitive data in the cloud should be part of any cloud security policy. To start on data protection policies for public cloud usage, it’s important to know how data from public third-party cloud services can be exposed or stolen.
How data is vulnerable in the cloud
Data breaches or leaks in third-party cloud services occur mostly because of misconfiguration and inadequate change control, such as excessive permissions, default credentials, poorly configured AWS S3 buckets, and disabled cloud security controls, according to an annual threat report by the Cloud Security Alliance (CSA). This implies a lack of security strategy or architecture for the cloud, which is the next most common reason for data compromise, followed by insufficient identity and key management, according to the report. Insider threat is lower on the list, followed by insecure APIs, structural failures, and limited visibility into cloud activities and security controls.
“SaaS has become an important focus for us in 2021 because of remote working,” says Jim Reavis, CEO for the CSA. “We’re seeing phenomenal growth in public cloud adoption, but in the rush, organizations are forgetting to secure the edge network to cloud. For example, people are reusing their credentials across multiple cloud services, so now credential stuffing attacks are on the rise.”
By May 2020, Cisco WebEx usage had increased by 600%, Zoom by 350%, Microsoft Teams by 300%, and Slack by 200%, according to a McAfee survey. In the initial rush to support remote work, Reavis points to many failures that can lead to data leakage: IT teams did not protect storage buckets in the cloud, implement secure developer practices, or coordinate identity and access programs. Some even hard-coded app credentials that criminals find in repositories. He adds, “This is pretty basic stuff.”
Following these three best practices will significantly reduce risk from storing or processing data in the cloud.
1. Take inventory of cloud usage
The best way to combat threats to data in the cloud is to take control of cloud application usage and perform risk assessments in the planning stages of any new initiative involving public cloud services, advises Ian Poynter, a fractional CISO for large and mid-sized companies.
The consensus among CISOs is that users' cloud instances are not always authorized and rarely monitored effectively for exposed data. “This is why the CISO needs to be part of the executive team,” says Poynter. “They need the leverage to know what’s going on and also create a collaborative environment where business unit managers want to come to them, share their new project or product, then have them evaluate the cloud products they’re looking at to support them.”
In one company, he says he went so far as to alert accounting to what third-party cloud apps and platforms are approved for reimbursement. If business units or individual users bought outside those approved services without prior approval, their reimbursement request was denied.
This was a manual but effective way of enforcing cloud application whitelists. Cloud application allow and deny lists are also strong technical controls usually deployed on corporate-controlled endpoints or through zero trust techniques, such as browser isolation to control the remote session between the user, the enterprise and the cloud app.
2. Go cloud native on security
Johnson suggests leveraging cloud-native security offerings in mature cloud services and applications that your organization has standardized on. For example, he points to AWS Inspector to assess configuration compliance of applications in use and Amazon GuardDuty to detect malicious activity and unauthorized behavior. Do your due diligence in the reputation of the cloud provider, he says, and avoid the small shops. “The larger providers usually get better grades for data protection and visibility controls.”
Native security differs between services models. IaaS and PaaS vendors offer security and configuration tools for applications that buyers spin up in their infrastructure or platforms. These are provided natively or through third parties for a fee. In the case of SaaS apps, such as DocuSign, Slack, or Box, security is mostly native. For example, Microsoft 356 offers Advanced Audit for Exchange, SharePoint, and Azure instances of Active Directory (among other security offerings).
A look into Box’s cloud enterprise provides a glimpse into how sensitive data processes in and out of third-party providers. Box manages multiple applications to support workflow, digital contracts, HR, Zoom meetings, historic data storage, HR onloading and other HR functions. Clouds within clouds emerge as users can connect Box to other cloud services, like Facebook Workplace with full data transfer capabilities through Box Shuttle.
As more apps spin up in the Box universe, embedded security and compliance toolsets for its users are critical differentiators, says Alok Ojha, vice president of security, privacy, and compliance products at Box. Ojha cites Content Cloud as a place for Box users to achieve consistent security across different workstreams and visibility to see what files and data are transacting in the application, along with who is accessing the data and for what purposes.
Another native tool, Box Shield, can be configured to find and classify sensitive data, apply proper controls to the classified data, reduce risk from insider and malware threats, understand what regulatory requirements are associated with the data, and ensure an audit trail for regulators. He also recommends renewed focus on identity and access management (IAM), particularly the use of multi-factor authentication for external users and partners instead of reusable passwords.
3. Protect data at the data layer
Arti Raman, founder and CEO of data protection company, Titaniam, warns against over reliance on identity and access controls to protect against data leaks and says controls need to also focus directly around and in the data transacted through and stored in public clouds. But data protection from endpoint to enterprise to cloud is notoriously difficult and must be flexible enough to cross all these boundaries and more in order to protect the data through its lifecycle.
“We believe that encryption and data protection should stay present when the data is indexed, searched, aggregated, queried, or otherwise manipulated by maintaining data-in-use in adaptively-protected format without restricting any functionality,” she says. “This includes traditional encryption techniques as well as new searchable techniques that use traditional encryption on top of them to meet compliance standards.”
A data kill policy is also important, adds Ojha from Box. Data that no longer needs to hang out in third-party cloud apps and infrastructure should be deleted, preferably automatically, based on the enterprise and regulatory requirements set for that data.