Owning up to cloud security - who is responsible?
The number of Australian businesses using commercial cloud computing services has risen to almost one third in just one year, according to the Australian Bureau of Statistics. Inevitably, this has led to an increase in the volume of customer data stored in the cloud, supporting everything from online services and websites, to sales and infrastructure. Keeping this data secure is vital for both the smooth running of businesses and protection of customers.
Many organisations are still struggling to secure their clouds – earlier this year, Australian cloud-based recruitment and HR software provider PageUp exposed two million passwords following a malware infection. This is just one of many examples of a business that migrated without the proper understanding of how to protect their data. Complicating the issue even further is that businesses often operate across more than one cloud, such as AWS and Azure, each having differing security protocols to grapple with.
There are mixed views on who is responsible for protecting customers’ sensitive or confidential data in the cloud. A third (34 per cent) of respondents believe that it’s the customer’s responsibility to secure their data in the cloud, while two-thirds (62 per cent) of customers hold businesses responsible. With less than half (46 per cent) of businesses clearly defining roles and accountability for securing confidential or sensitive information in the cloud, it’s clear many are struggling to take responsibility within the organisation.
Taking responsibility for cloud security
The arrival of GDPR and NDB this year has forced the ownership of cloud security firmly into the hands of businesses. Under the regulation, if any unsecured customer data is compromised, stolen or misplaced – whether it’s stored internally in a data centre or the cloud – the business holding it will be held accountable. Additionally, over two-thirds of Australian consumers (72 per cent) would leave a business after a breach. So, what can organisations do to secure their cloud and avoid potential breaches?
Five steps to cloud security
Locate where the data is Before implementing any cybersecurity strategy, businesses must first conduct a data audit. This helps them understand what data they have collected or produced, and where the most sensitive and valuable data is located. If businesses don’t know what data they possess and produce, they can’t even begin to start protecting it.
Encrypt all sensitive data
While it’s crucial that businesses restrict who can access sensitive data, it’s encryption that ensures this cannot be used in the event it’s accessed by unauthorised personnel. Businesses must understand where their most valuable data is stored before this step can occur. Regardless of where data is – on their own servers, in a public cloud, or a hybrid environment – encryption must always be used to protect it.
Securely store keys
When data is encrypted, an encryption key is created. These keys are necessary to unlock and access encrypted data. Consequently, businesses must ensure that these keys are securely stored away from the cloud. By storing a physical key offsite, it helps ensure it can’t be linked to any encrypted data in the cloud. Encryption is only as good as the key management strategy employed, and companies must keep them in secure locations – such as on external hardware away from the data itself – to prevent them being stolen.
Introduce two-factor authentication
Next, businesses should adopt strong two-factor authentication, to ensure only authorised employees have access to the data they need to use. Two-factor authentication involves an individual protecting their account with something they possess – like a message on their smartphone – and something they know, like a password. This is more secure than relying on passwords alone, which can be easily hacked.
Hardware and software are constantly being patched by their vendors, as bugs and vulnerabilities emerge, to prevent hackers from exploiting them. Many businesses don’t install patches quickly enough or use software which no longer receives regular patches. It is imperative that businesses install patches as they become available, to avoid becoming easy targets for hackers.
Evaluate and repeat
Once a business has implemented the above steps, it’s crucial that each step must be repeated for all new data that enters its system. Cybersecurity and compliance is an ongoing process, rather than a case of ticking the box. These steps will ultimately help make businesses unattractive or unviable targets for attackers as even in the event of a breach they won’t be able to use, steal or hold their data for ransom.
The arrival of new data protection laws introduced in Australia this year has meant that businesses are now paying a cost, reputationally and financially, for any data breach. It’s never been more important for businesses to take full ownership of the data they hold, particularly as consumers have more rights over their data than ever before. Organisations must provide a cybersecurity strategy from the board down, and educate staff about the cyber risks they face as a part of a business so consumers can trust that their data is stored correctly and secured effectively.
Article by Gemalto regional director Australia & New Zealand, Graeme Pyper.