In the corporate world, privacy refers to employee/business data as well as customer/supplier data—you must safeguard both of them. Laws such as CCPA and GDPR, not to mention vertical market regulations, make it clear how important this issue is to regulators, who take into account the security tools in use and their settings during investigations. (Fines can be significantly lower if tools are well deployed.)
As businesses continue to accelerate to the cloud, there’s no better time to review all aspects of cloud data collection, use, storage, transfer and processing.
- Investigate shadow IT, unsanctioned cloud providers and THEIR security
The organization’s data can easily leak via shadow cloud services; for example, users converting a PDF of the employee phone list, translating a project plan, or using a cloud-based presentation tool or unmanaged collaboration services. The corporation is responsible for data loss from its employees, no matter how it occurs. So IT needs visibility into all cloud services, even those set up by individual users or small groups. Once you have a comprehensive picture of unsanctioned cloud usage, this information should be shared with the purchasing team to help them decide which services to approve.
- Integrate with global SSO
Global single sign-on services can ensure that users’ access is removed from all services when they leave the organization, as well as reduce the risk of data loss from password reuse. In a non-SSO service, users often call the helpdesk team when they’ve forgotten their passwords , so SSO has the added benefit of reducing call volume.
- Work with GRC and workshop how users use cloud
GRC (governance, risk and compliance) should be brought in to help define cloud use policies. Often, they are unsure how clouds are being used and what data is being uploaded, and therefore policies are general. Create a team including users, GRC and IT security to define policies for the real world by reviewing the possible actions that can be taken in each particular cloud service and ensure policies are defined for all eventualities.
- Review IaaS – Don’t assume DevOps did everything right
The fastest-growing area of cloud is IaaS—AWS, Azure and Google Cloud Platform. Here, it is very easy for developers to misconfigure the settings and leave data open to attackers. Technology is needed to check for all IaaS services (we always find more than people believe they have) and their settings—ideally, this would be a system that can automatically change settings to secure options.
- Keep up to date with technology—serverless, containers, cloud email services, etc.
The cloud includes many technologies that are constantly evolving; therefore, security needs to change too. Developers are often at the forefront of technological advances—bringing in code from GitHub, running container systems that only live for a few minutes (even this isn’t too short a time to require safeguarding) and more. IT security needs to be in partnership with the development teams and deploy technologies to defend against the latest threats.
- Integrate with web gateway and DLP—don’t lose security as you move to cloud
After investing time and money over the last decade on security, you don’t want to lose that investment when moving to the cloud. As systems and data are moved skyward, you should deploy technologies that can integrate with your existing services and technology. For example, you shouldn’t have two different DLP models depending on the computing services used by your employees. Deploy systems that can integrate with each other, preferably with a single-pane-of-glass management system.
- Don’t assume CSPs will keep your logs forever
If the worst happens, you need to investigate the history of a data loss incident. CSPs will rarely save data logs forever—refer to your contract to find out how long they keep logs, and consider having your own logs so that forensic investigations can be executed even if the original data loss incident was some time ago.
- Consider differential policies based on location, device, etc.
Once data is in the cloud, the whole idea is to facilitate global working. Is that always appropriate? For example, what if an employee wants to download a sensitive corporate document via a cloud service to an unmanaged device? Consider the situations your employees will encounter, and form policy that provides the maximum amount of security required while causing the least amount of disruption possible.
- Promote the clouds you DO like to your users
Carrots work better than sticks to train users. Don’t just block the services you don’t like, promote widely the cloud services you approve of, those that conform to your security needs, your performance indicators and capabilities. Promote them via the intranet, blogs and internal marketing, and redirect requests to unsupported services back to those you like.
- Privacy and security is everyone’s responsibility: Bring in other departments and users
Perhaps the last recommendation should be the first: Use every method available to train users, but before you do, work with those users and their representatives to define appropriate policies. The aim is to encourage users to use cloud services that are not only safe, but will allow them to be as productive as possible. The users themselves typically have great ideas of the services they’d like to use, why and how, so bring them in to help define the policies and work together with GRC.
Here’s to successful and secure cloud deployment, and to keeping your users and customer personal data as secure as you can in 2020 and beyond.
For more information, take a look at our additional resource on safeguarding your personal data in the cloud .