For many business leaders, the idea of moving to the cloud can be a daunting thing. Fear of the cloud still exists, and this fear is easily understood due to the inherent insecurities of the cloud. A shared, multi-tenant environment would never sound like a safe place to store sensitive business and customer data. The appeal of low-cost data storage clearly has trumped these fears, and today the cloud has become the de-facto platform for all small businesses and startups as well as larger corporations that are continually trying to mitigate costs and choose to use the cloud over buying new, expensive hardware that must be operated in-house.
However, movement to the cloud has not alleviated these fears, and the biggest concern with the cloud remains security. This is largely because there isn’t a standard for securing data in the cloud, and although organizations such as the Payment Card Industry (PCI) and the Cloud Security Alliance publish recommendations around protecting data in the cloud, there are no hardened rules in place for organizations to follow to help them (or make them) secure data and prevent data breaches in the cloud.
The cloud has become a paradox for business leaders desperate to cut costs and manage risk at the same time. Using the cloud to store and process data at a lower cost is an obvious choice; however, such a quick decision often precludes due diligence around risk mitigation. It leads one to ask, if it’s the CEO’s job to govern and manage risk, why isn’t she or he more aware of the risks associated with storing sensitive data in the cloud?
The answer might be this: CEOs aren’t necessarily ignoring the risk, but simply do not know how to ask the right questions in order to adequately assess risk. If they don’t know how to assess risk in a certain area of their business, then there is little way to control that risk. When dealing in a technical landscape where data breaches are the new norm, and the cost of a breach can be millions, the inability to control the risk of a data breach is a massive problem.
For CEOs and business leaders concerned about sensitive data and data breaches in the cloud, it is important to learn the basics of assessing data security risk. A good place to start is by nailing down the answers to these topics:
- Find out if the customer data your company is processing or collecting must be protected under industry data security regulations and/or state laws. You may be surprised to find out that data not listed under these regulations is now considered “sensitive” in the public eye, such as email addresses, passwords and phone numbers and should also be encrypted.
- Choose a cloud provider that will work with your compliance needs and help you mitigate risk. If applicable, choose a cloud provider that provably demonstrates commitment to security and privacy by having undergone PCI, FEDRamp, SOC or similar certifications. You may want to have the option of storing some data in a private cloud. Does your cloud provider offer this?
- Work with your compliance auditor(s) to determine if your cloud solution aligns with industry compliance requirements and best practices. At the end of the day, your auditing and legal counsel should be able to determine if you are securing data to regulations, recommendations and best practices. It is important to remember that meeting compliance is often considered a low bar and that it is typically better to do more than the bare minimum requirements.
- Document the type of data that you will be storing or processing in the cloud and which compliance regulations apply to encrypting that data. Depending on whether you are handling credit card information, financial information, patient healthcare information, or other types of sensitive data, you may fall under one or more industry data security regulations. Each set of regulations identifies what kinds data need to be encrypted
- Choose a cloud provider that will allow you to bring your own encryption key management when encrypting data. When encrypting data in the cloud, it is critical to remember that your encryption keys are your keys to the kingdom. If you store your encryption keys with your encrypted data, then anyone who gains access to that data will be able to decrypt it using the encryption keys. Some cloud providers offer key management as a service, which may be an adequate method of protecting encryption keys, but may not be preferable for organizations who want complete control over their encryption keys.
For any business leader concerned with GRC, knowing how to assess risk in the cloud is critical. Download our podcast "Encryption, Key Management, and GRC" to learn about what technologies you can implement to help mitigate a data breach or prevent one from happening altogether.