.png){kind=spacer}
With more than 3,800 data breaches reported since the first of the year, 2019 is on track to become the worst year ever for breach activity. Shockingly, many of these cases involve the theft of unencrypted data in cloud and on-premises storage systems.
While cybercriminals have certainly become stealthier and more sophisticated, leaving stored data unprotected just makes it too easy for the bad guys. Most security analysts agree the recent Facebook breach was largely due to carelessness.
In March, Facebook confirmed that hundreds of millions of account passwords were stored in plain text and easily accessible by more than 20,000 of the company’s employees. Just a couple of weeks later, it was discovered that a half a billion user records had been posted publicly on Amazon cloud servers.
The shift to cloud storage has created a different security dynamic. Data is no longer exclusively stored onsite, but rather in a mix of on-premises and cloud data centers. While cloud providers typically offer strong defenses, many customers remain confused about the cloud’s basic security framework.
Cloud providers operate on a shared responsibility model in which providers and customers are responsible for different aspects of security. Most providers state explicitly in their terms and conditions that they are responsible for managing the security of the cloud infrastructure and for maintaining uptime, and that customers are responsible for protecting their data and applications.
Nevertheless, most organizations are operating under the assumption that providers assume full responsibility for data security. In a recent survey of IT leaders conducted by Oracle and KPMG, 90 percent of chief information security officers reported they don’t fully understand the shared responsibility model. Thirty percent reported that this confusion led to an unpatched or misconfigured system being compromised.
Beyond this confusion, another issue is the immense scalability of cloud storage. Data stores are growing by as much as 65 percent annually, but a good chunk of this data serves no real purpose. The easy expansion of storage capacity in the cloud contributes to a hoarding mentality. Given the increasing focus on data analytics, organizations often choose to simply save everything rather than risk losing something they might want later.
Organizations simply can’t afford to be this casual about storage security. According to the Ponemon Institute’s annual Cost of a Data Breach Report, data breaches now cost companies about $150 per record. Here are three important steps every company should take to minimize their risk:
Know your role. If you are using cloud storage, you must take great care to understand the shared responsibility security model. And it should be noted that those responsibilities aren’t uniform — they can change significantly depending on the provider and the usage model. Never assume the provider is taking care of something without explicit confirmation.
Minimize your data stores. Storing and managing data that has questionable or no value wastes money and resources, slows decision-making, and increases risks related to security, regulatory compliance and e-discovery. Consider installing data governance software that imposes a quality-control discipline on the processes for assessing, managing and maintaining data. It will clarify who should have access to data and for what purpose while also ensuring that compliance requirements are being met.
Lock down your data. Use strong, industry-standard cryptography — ideally AES 256-bit encryption — and make sure the cryptographic keys are properly managed. Review the encryption controls of all devices including PCs, tablets, smartphones and servers. If you haven’t already, implement multifactor authentication, identity-based network access and a next-generation firewall to boost security.
ICG offers a comprehensive suite of security tools, and can help you take advantage of cloud storage without putting your data at risk. Contact us for a confidential security assessment and consultation.
