Enterprises are becoming increasingly aware of the security risks created by uncontrolled cloud application adoption and shadow IT, and increasingly aware of the need to perform risk assessments on all the cloud apps used to handle corporate data. And while tools exist to ease the process, your first line of defense against cloud security threats will always be awareness. In that vein, it’s critical to understand the factors that go into a cloud application risk assessment. Here are two of the many variables that the CipherCloud Risk Intelligence Lab considers when analyzing cloud applications.
When it comes to authentication, what is the first thing you think of?
Most likely, it’s a password. Every system that uses controlled access to protect the data it contains uses passwords to authenticate authorized users. Unfortunately, when passwords are all that a system relies on to secure its data from unauthorized access, enterprises take a big risk. Passwords are all too often guessed by thieves. Many people exhibit very poor password management behaviors, basing their passwords on things like pets’ names, graduation years, birthdays and anniversaries—all information that an enterprising cybercriminal can typically mine with little effort from social media accounts and the like.
That’s where multi-factor authentication comes in. In multi-factor authentication, a system requires two or more credentials, rather than just one, to verify a user’s identity. The system may place a security token on a user’s device, require the security certificate provided by a corporate VPN, or even leverage biometric data to validate a user. This makes a cloud application more secure than it would be if it depended solely on passwords for access control.
Also of note when it comes to cloud application security is the question of data residency. In which countries and geographical regions does the cloud provider maintain data centers or store customer data? There are, of course, legal and regulatory compliance complexities around data residency, but there are also simple data security issues at stake.
One key issue is the relative safety that a given region’s data privacy laws can provide. Data privacy laws in some regions offer strong protections for sensitive data, while others do not. Some jurisdictions may even have laws that make corporate data easier for government agencies to access, either explicitly or through provisions that ban the import of certain types of data protection technology, such as unapproved encryption algorithms. For this reason, CipherCloud considers data residency when evaluating the relative risk or safety of cloud applications and providers.
Of course, these aren’t the only factors to keep in mind when performing a cloud app risk assessment. Our lab also looks at risk model components such as privacy and cookie policies, data retention practices, disaster recovery and multi-tenancy strategies, and compliance with various regulations, such as PCI, HIPAA, and SOC, among other variables.
Want to learn more about how risk ratings are calculated and what factors to look for when evaluating the cloud applications in use at your organization? Download our free ebook, “Cloud Adoption & Risk Report for North America & Europe: 2014 Trends,” today.