Modern enterprises are facing the challenge of achieving robust security and compliance while they leverage their vast stores of data in the cloud. Anurag Kahol, CTO at Bitglass, discusses this challenge and unveils the capabilities that help enable organisations to process cloud data effectively and securely.
Today’s data sovereignty regulations mean that data is subject to the laws of the nation within which it is collected. However, for organisations unprepared to meet their obligations, these laws can create roadblocks when their users want to analyse, store or process regulated data in the cloud – beyond the country of its origin.
Outside of current data sovereignty issues, regulations also place a number of other security demands on organisations, adding further complexity for anyone who wants to process data in the cloud. A key point is that data stored in the cloud needs to be actionable so organisations can maintain efficient internal processes, meet customer needs and tailor their approach to take advantage of new opportunities and demands.
Along with compliance headaches, the approach can also expose the user to security vulnerabilities. Consequently, many organisations struggle to store and process data in the cloud while also maintaining the appropriate levels of security and regulatory compliance.
The primary issue is that securing data by using agents and firewalls is not suitable for data stored in the cloud because that sensitive information is being accessed beyond the enterprise perimeter.
Agents are only effective when they are deployed on all of the devices that are accessing corporate data. An agent-based solution is beneficial when it is used on corporate assets because it provides comprehensive visibility and control over the devices on which the agents are installed.
However, users often resist installing agents on their personal devices to avoid surrendering their privacy over personal data and web traffic. This doesn’t sit well with the majority of organisations that are allowing, and even encouraging, the use of personal devices. As such, it is not an approach that is appropriate for today’s cloud-first environment.
To add, organisations cannot place a firewall around cloud applications like Office 365 or Salesforce, or use one to secure the variety of managed and personal devices that access data outside of corporate infrastructure. Firewalls are on-premises tools and are no longer useful for protecting data in the cloud.
Additionally, there is a need for full-strength encryption, which plays an important role in securing data at rest in cloud applications. It is particularly pertinent when applications physically store data in foreign nations that are considered unsafe by data sovereignty requirements set out by regulators.
Using native encryption by applications such as Salesforce may not be truly secure because the encrypted data and the encryption keys are being held together – which is everything that a malicious party needs to access decrypted data. This is also not compliant with GDPR because that native app encryption does not protect data that is physically stored in ‘unsafe’ locations.
An alternative approach is to simply block all access from remote locations or personal devices and to force all users to work via a VPN. The problem with this is that it defeats the object of a bring your own device (BYOD) strategy that seeks to improve user efficiency.
The best of both worlds
Organisations can, however, securely leverage and process data they have stored in the cloud by adopting a range of capabilities, including:
- Contextual access control can control data access based on a user’s geographic location, job function, device type and other variables – giving organisations the flexibility to embrace BYOD without compromising security.
- Visibility and monitoring capabilities across an entire cloud footprint are important for maintaining security and compliance. This is vital because users who are authorised to access data can potentially be a threat to data security and those accessing data outside of a specific region can break data sovereignty laws. This can be addressed by employing user and entity behaviour analytics (UEBA), which is able to detect suspicious user behaviour in real time and enable automated responses such as alerting IT or enforcing multi-factor authentication.
- API integrations across enterprise cloud applications enable organisations to detect, manage and delete sensitive data patterns at rest within the cloud.
- Cloud encryption can protect corporate information and meet the data sovereignty requirements of regulations like GDPR. Third-party solutions that can provide full-strength cloud encryption protect both structured and unstructured data at rest and allow companies to retain control over their own encryption keys. This is particularly important as it is the only way to enable secure data processing in the cloud, satisfying data sovereignty demands.
Organisations looking to process data in the cloud might be forgiven for viewing regulatory frameworks as a barrier to success, however, being compliant is an important foundation on which to build a cloud security strategy. Today’s most successful exponents of cloud-based data processing are able to marry security with a respect for the individuals whose information is being processed – benefiting everyone concerned.