Why “Good Enough” Data Security No Longer Works

If you still assume that “good enough” data security is good enough in the era of cloud computing, think again.

Each day we read about more organizations looking to realize the operational efficiencies offered by cloud computing. But as they migrate their data to the cloud, they also need to make sure that their information remains safe. Yet that’s harder than it seems at first blush.

The same controls that IT managers might have put in place to guard sensitive data when everything was stored on premises - loss prevention controls, encryption, and firewalling - no longer apply in the cloud era.

Now a company’s information gets sent to a cloud infrastructure that they neither own nor manage. What’s more, data nowadays is constantly in transit and potentially vulnerable to attack or interception as it zips around and gets accessed by users connecting with a myriad of devices (some of which are secure, some less so.) For security practitioners, this presents new challenges that require planning to contend with a host of new contingencies.

And it’s anything but easy. Consider the following insights that research firm ESG turned up after surveying IT managers recently about their experience.

• About 30% of an organization’s public cloud-resident data is categorized to be sensitive, and respondents believe it is insufficiently secured
• About 50% of a company’s total data resides in public cloud and 50% on-premises
• Over 90% of organizations store (now or within the next 12 to 24 months) sensitive data in more than one IaaS/PaaS platform
• HIPPA regulations are considered to be the most difficult to comply with due to data being stored in a public cloud environment
• Over 90% say users can gain access to an organization’s sensitive public cloud-hosted data using different types of devices
• 40% of organizations allow business partners access to their sensitive cloud-resident data
• 87% of respondents say that protecting cloud sensitive data affects their organization’s use of public cloud services
• 81% believe that on-premises data security is much more mature than public cloud infrastructure/application data security
• 82% prioritize the security of data that resides on systems/in applications running on-premises vs cloud
• 90% believe that managing data security processes and technologies has become more difficult over the past two years
• The majority of respondents say discovery and classification of personally identifiable information is the most significant cloud data security challenge they face when it comes to addressing data privacy concerns and comply with regulatory requirements

One clear conclusion from the findings is the urgent need to take action. The last thing an organization can do is settle for half measures or put the question of cloud data security issue on the back burner, waiting until there’s a more convenient time. Now is the time to think about choosing a solid solution that will protect your enterprise’s information. Unnecessary delay will only court trouble down the road.

Even though you don't need to reinvent the wheel, don’t get lulled into believing that a good enough approach to the cloud will buy much more than partial protection and partial visibility into what’s going on with your data.  Companies can’t leave this to chance, especially given the need to comply with a variety of stringent regulations both domestically and now in Europe with GDPR governing their treatment of customer data.

In the event that your customer data winds up getting exposed, the legal liability falls on you. That’s why it’s important to protect your data and not rely on the confusing claims issued by cloud data providers, who all contend that their environments are secure.

Your Game Plan

The goal should be to augment what you already have and work toward building unified and dedicated data protection strategy. As you go about the process of pulling everything together, keep the following points in mind:

Look for ways to supplement whatever the cloud service provider offers with additional security on top of what’s being supplied. Cloud providers can help but so can third-party security solutions companies. Unlike cloud providers, who don’t have a long track record here, these security-focused firms have long experience working in data protection and security technologies, intelligence networks and best-practices.

You don’t need to complicate things so simply adapt what you already have and extend the approach to cloud environments. For example, controls like data loss prevention cuts down on having to manage different places with different policies and different incidents to remediate. it all starts with detection, which must be very reliable. You can’t protect what you don’t see. Accuracy is key as well as you don’t want to deal with a sheer volume of false positives.

Look for opportunities to promote greater integration. At the end of the day, you’ll have better luck providing end-to-end protection if you can work off of a single console that offers a unified view into any clouds you use. You need a good third-party security tool to bring together those different environments.

Buy cheap, buy twice. If you choose a solution just because it’s the lowest cost option out there, don’t be disappointed what happens next.

If you found this information useful, you may also enjoy:

• Learn more about Information-Centric Security