Cloud Healthcheck – It’s about the data, stupid

Data is the most valuable asset that any corporation has. Human beings are wired to secure things that they ‘perceive’ as valuable. As long as companies continue to think of the cloud simply as commodity compute and storage, the level of attention provided to securing this asset will be relegated down. 

However, if the board and CXOs start believing and communicating that data is the single most valuable asset that their enterprise owns, the level of attention given to data security will continue to rise invisibly and exponentially, instilling a culture where each individual feels an inherent need to protect data from potential threats.   

Data breaches occur daily, too often and in too many places at once to effectively track. However, the size and scale of recent data breaches have made headlines as shown by the Capital One data breach that exposed data on over 100 million people in the United States, 6 million more in Canada and compromised 140,000 Social Security numbers, 1 million Canadian Social insurance numbers and 80,000 bank account numbers.  Given the sizable investments that companies have made in the cloud, how and why can breaches like this occur?   

Cloud providers such as Amazon Web Services and Microsoft Azure operate under a shared responsibility model, meaning the cloud provider owns security “of” the cloud while customers own security “in” the cloud. Amazon and Microsoft have invested heavily to provide a robust set of security controls for its customers to use across cloud services, but it is still the responsibility of the customer to correctly implement and configure these built-in controls to properly secure systems, services and data.  In the case of Capital One, misconfigurations in an AWS Web Application Firewall (WAF) and S3 bucket allowed unauthorized access to millions of records. 

The good news is that breaches like these can be avoided.  While an organization should instill and reinforce the idea that data is their most valuable asset, this must be translated into a tangible, actionable plan that can be followed to secure data.   

Ensuring that systems, services and data are secure begins with developing and establishing a thorough cloud security framework with policies and procedures to ensure that only the necessary users and software have only the permissions that are absolutely required.  The cloud security framework should be documented along with security policies and procedures to detail who or what should have access to systems, services and data and why.   

Companies are often successful with developing and establishing a cloud security framework, but that is just the first step. Cloud security goes beyond the initial creation and adoption of a framework and should be operationalized with ongoing monitoring and auditing. However, this critical component is often overlooked.  Without ongoing monitoring and auditing, cloud security is greatly compromised as security configurations can slowly drift away from what was established when the security framework was created.  Additionally, threats often go unnoticed until it is too late. 

Ongoing monitoring and periodic audits ensure that the configurations still adhere to the security framework while meeting current business needs. Monitoring provides an opportunity to identify security threats earlier so that they can be remediated prior to an incident occurring. Audits provide an opportunity to update security policies as business needs change to ensure that the appropriate security controls remain in place.   

At Syntelli, cloud and data security is a top priority – we offer comprehensive cloud monitoring and auditing solutions for our clients.  Please contact us @ [email protected] for more details on your cloud strategy and for any analytics, BI and data needs.