When it comes to adopting the cloud, data security is often amongst enterprise decision-makers’ top concerns. We’ve all seen what can happen to even the largest organizations if they suffer a data breach (think Target, Home Depot), and no one wants to be the next victim. But as firms move more and more mission-critical applications to the cloud, it can be easy to lose sight of the fact that data governance and protection are shared responsibilities between both the cloud providers and the organizations that use their infrastructure.
On the cloud provider side, established CSPs do their part both by utilizing common best practices on their own premises and by advising customers on additional steps to take in order to ensure cloud data security. Salesforce, for example, is focusing on identity confirmation and IP restrictions to reduce the risk of unauthorized access, but also advises that customers use two-factor authentication and other measures for greater security. HIPAA compliance and safe harbor certifications headline the privacy feature list at Box, followed closely by the generation of robust audit trails. And Amazon Web Services offers a long list of security features, from built-in firewalls to authentication and user identity and access management controls, as well as dedicated connection options and encrypted data storage.
But as useful as CSP security features and controls can be, they aren’t always enough. Modern threats are often designed to circumvent those controls, which also need to be carefully configured or managed for best results. And at the end of the day, the ultimate responsibility for cloud data security rests with the enterprise that owns the data. Legally, the enterprise will bear the brunt of any penalties incurred from compliance violations, and the enterprise will bear the majority of the public relations fallout should a breach happen, too.
In order to take full control of cloud data security, enterprises must not only use their CSPs’ security options to their maximum capabilities, but also take greater control of their information by applying data-centric approaches to their most sensitive assets. Methods such as encryption (as long as the encryption keys remain exclusive to the enterprise itself) and tokenization will go far towards protecting sensitive information, ensuring compliance, and maintaining the confidentiality of data. In fact, methods such as these should be an organization’s highest priority when moving business-critical applications and data to the cloud. A data-centric approach to cloud security will dramatically lower business risk, support regulatory compliance, and protect firms from the brand damage that a breach can cause.
How else can businesses take control of their cloud data security? Tell us your thoughts in the comments.