The facts about how dangerous sending your data to the cloud is.
I was reading a recent article about security breaches and incidents among companies storing data in the ever-growing cloud (queue ominous music). This nebula of floating data particles being used to supplement, and in some cases supplant, the enterprise architecture. The article was written in a way to imply that using cloud-based storage was far more risky than traditional storage models (i.e., physical boxes in your data center). The article made the claim that 54% of those using cloud storage had a “security incident” during the calendar year of 2020. It also stated that 62% had plans to remove “sensitive data” from the cloud. The implication of these two statements, especially with the mention of actual percentages, is that the cloud is not a reliable storage solution in its current state.
Does the cloud have more inherent risk than a physical data center?
There is no data I have seen that supports this. In fact, if we look at the top five reasons or causes that a data breach or customer data breach occurs we will see they are mostly agnostic to the physicality of the environments in general. So, let us look at the top five.
- Out of date operating system and applications – Systems that are behind on their security patching or companies that are lax in their system maintenance and patching program are the leading reason and most compromised target by unethical actors, or hackers.
- Human Error – People make mistakes. It happens. It happens on both physical systems and cloud environments. That is why we say, “Bit Happens!” Response times, monitoring, and other aspects of the infrastructure should be in place to prevent these issues from being too costly.
- Malware – [mal-wair] n. Digital Technology “Software intended to damage a computer, mobile device, computer system, or computer network, or to take partial control over its operation.” Notice what is not listed in the definition of malware? Correct. It does not mention that it is only a threat to the cloud, or that physical servers are immune to its effects. A proper anti-malware strategy is a key part of any overall security plan, regardless of the type of environment you have.
- Insider Misuse – The one area of personal information security risks you cannot protect against. You can use background checks, access control processes, and all sorts of checks and balances (and you should) to minimize this risk, but you cannot eliminate it. Employees with bad intentions, elevated access, proper motivation, and in some cases enough collaboration can supplant security measures to access your data. The good news is that with proper hiring practices, access management, and employee favorable cultural work this is a risk that can be lowered to an acceptable level. Of course, nothing mentioned here has anything to do with cloud services or cloud security, so we will move on and discuss in detail later.
- Physical Theft of Data-Carrying Device – This is the single issue of the five that can be impacted by using the cloud. Funny part is, that using the cloud computing makes this more secure. If you (or your employees) cannot gain access to any “physical” device with that is used to store data, it can’t be stolen.
The real dangers.
As you can see by looking over the top five, only one has any relevance when comparing cloud architecture to maintaining your environment in a physical solution. Unfortunately, it is also only possible when utilizing a physical environment, since a cloud architecture would not present an opportunity for someone to steal a physical device containing sensitive data. We must note, that it is possible for someone to download this data to a portal data storage device (i.e., thumb drive or portable hard drive) and walk out with it, but that is covered under the 4th leading cause of Insider Misuse.
Let that last paragraph sink in for a moment. With proper training and implementation of common-sense maintenance processes, on top of treating your employees well, you can greatly reduce your risk in the top 4 areas most likely to cause a data security incident.
Is data safe in the cloud?
The likelihood that you are keeping your data secure from potential data loss or data leakage has little to do with the decision to host your environment in the cloud and more to do with the culture and seriousness with which you approach data security. All four of the first 4 risk factors given can be mitigated and/or reduced based on how the company views the importance of data security and how that shapes the way they address it with the employee base. A company that puts little priority in proper maintenance and patching programs will be at greater risk for the number 1 and 3 causes. Training and Security Awareness programs directly impact number 2 and along with other programs to improve employee wellness can reduce the chances of being a victim of number 4.
Feel free to reach out to me directly if you have additional questions. I am present on both LinkedIn and Twitter, and links to both should be available in my bio.
_______________________
A data breach can devastate a business. The average cost alone is staggering: USD3.9 million per breach. Evaluate your company’s security posture with SecureTrust compliance, privacy and risk assessment services.
_______________________
Written by Shawn Adams
Shawn Adams is a Senior Security Consultant at SecureTrust and an active member of the IT Security Community. In his role at SecureTrust Shawn works primarily with Enterprise class clients to improve the maturity and effectiveness of their security programs. He also helps his clients build stronger governance and culture practices to reduce over all risk and increase key business objectives through security measures.
Prior to SecureTrust, he has spent over 25 years in IT Operations and Architecture roles. Most of this time was in leadership positions where he worked with executives in organizational development efforts and client facing communication and incident management positions. Shawn holds the QSA, CISA, CISM, and CDPSE certifications and an MBA with a focus on IT Management. He can be reached for additional questions on Twitter under the handle @Shawn_writes as well as on LinkedIn.