Moving to the cloud has obvious benefits for any enterprise, but placing your business’s sensitive data in the hands of third party providers also expands and complicates the risk landscape with which you must contend. As InformationWeek’s Robert Malmrose wrote, cybercriminals are now targeting “any company where they can find data to resell, disrupt or exploit.”
Still, not all concerns are truly threats—not for every business. So how do you tell which concerns should sound the alarm bells for your enterprise, and where to put the emphasis in your cloud computing security strategy?
1. Understand what you can’t afford to lose
Data breaches, according to the Cloud Security Alliance, are the top cloud computing security threat for 2013 and beyond, and for good reason: sensitive data can be of enormous value. To figure out how great a concern this is to your enterprise, consider what sensitive data you store in the cloud. Some of the most targeted types of information are:
- Personally Identifiable Information (PII), such as full names, addresses, telephone numbers, birth dates, drivers’ license and national identification numbers, some IP addresses, and online logins and passwords—anything a criminal can use to figure out or steal someone’s identity.
- Sensitive financial information, such as bank account and credit card numbers, PIN numbers, and anything a criminal can use to access accounts and funds.
- Confidential corporate information, including anything a competitor might use to gain a competitive advantage. Consider your corporate financials, HR resources, internal communications, strategic plans, and, in various fields, R&D documentation as well.
What do I have that others might want?
The essential consideration here is: What do I have that others might want?
Going hand-in-hand with this consideration is another: What do I have that I can’t afford to lose? Data privacy regulations often demand public breach notifications in the event of a malicious data breach or inadvertent data loss. If your cloud computing security strategy has failed to protect your data, your enterprise could face severe consequences in terms of business and reputation lost as a result of the notification.
For that reason, it’s essential to lock down any sensitive data you hold. In addition to thorough DLP measures, CipherCloud’s strong encryption and key management is designed to protect against breaches. In many jurisdictions, the disclosure of properly encrypted data to which the enterprise holds the key is not considered a breach and does not require public notification.
2. Understand what can protect you if you do lose your data
Safe harbor laws make key management especially critical. Under many jurisdictions’ safe harbor laws, a breach is not considered a true breach—and does not require public notification—if the enterprise still retains control of the encryption keys.
And breaches do happen, in many cases for reasons outside of enterprises’ direct control. Even when your data is protected in the cloud, all it takes is one insider who has access to your encryption keys—and shouldn’t—to result in an unwanted disclosure. The greater the number of CSP insiders with access to your data, the greater the risk to your cloud computing security. When your enterprise retains exclusive control of your encryption keys, you eliminate that concern.
Even the systems you and your CSPs may have in place to prevent accidental erasure of your data can pose dangers to your enterprise’s data privacy. Backups, redundancy, and other failover strategies may protect against data loss due to deletion or system failures, but create extra opportunities for the theft of the data you consider vital. And what happens to your data if you choose to terminate your services with a particular CSP? You can never be certain that the data has been digitally destroyed. Again, an encryption program that provides for limited, controlled, enterprise-exclusive encryption key access is key to protecting your data, no matter where it resides or how many copies of it exist.
Looking for more? Below are some helpful, relevant resources:
- On-Demand webinar – “Cloud Encryption 101: Understanding the Basics“. Listen in and learn about: How cloud encryption technologies work; Case studies on how and why organizations are using these technologies, plus a demo of cloud encryption technologies in action!
- Free white paper – “10-Minute Guide to Cloud Encryption Gateways“: What They Are, How They Work, and Why You Need One
- Blog post – “Cloud Information Protection: Symmetric vs. Asymmetric Encryption“
Which cloud computing security concerns are most worrisome to your organization? Sound off in the comments.