After high-profile data breaches of Home Depot, JPMorgan Chase, Sony Pictures, and Anthem, businesses across every industry are investing heavily in data protection. In the retail industry alone, Forrester predicts a double-digit increase in security spending.
Before you start throwing money at your cybersecurity worries, use common-sense precautions to protect your cloud data. These five steps, coupled with smart cloud security strategies and tools, will make sensitive data a lot less vulnerable.
1. Know Where Data Lives
Today’s businesses collect and analyze extraordinary amounts of data. They store their trade secrets, product research data, and financial information, along with customers’ personal data. Although your security team can protect the data within your walls, your cloud services provider and third parties are also custodians of your data. Depending on your industry, you’ll face significant financial penalties when business partners misuse your data.
It gets overwhelming to think about all the places your data might reside. It could live on your premises, both centralized on servers and hoarded within departmental siloes. It can also live in your cloud services provider’s data centers and on the servers of third-party companies. Data might live on mobile devices, personal computers, and USB drives belonging to your employees — and the employees of your business partners. Bottom line: Before you can protect your cloud data, make sure you know where to find it.
2. Implement Smart Access Policies
According to Verizon’s 2014 Data Breach Investigations Report, two out of three attacks involve an attempt to steal an employee password. When high-level employees have weak passwords, attackers often use brute force to figure them out without even bothering to steal them.
Teaching your employees to create smarter passwords is a beginning, but it’s even more important to limit non-essential access to data. When an attacker swipes login credentials, but the person’s credentials can’t access valuable data, you’ve already thwarted a breach. Implement granular policies that tie data access to positions within departments and roles within inter-departmental projects. Also, create strong policies around personal mobile device usage, USB drives, and remote access to your corporate network.
In addition, review your employee authentication directory often, making sure that no one has admin privileges when they shouldn’t. You should also delete the login credentials of former employees and business partners.
3. Encrypt When Needed
In some industries, like health care, encrypting files before uploading them to the cloud is non-negotiable. Even if your company merely works with a health care provider, you should encrypt all files that contain personally identifiable patient information. You should also encrypt all email correspondence that contains patient information. Although encryption can’t prevent all data theft, it will protect healthcare organizations and their business partners from costly HIPAA fines.
Health care isn’t the only industry that should step up its reliance on encryption. According to the Tampa Bay Times, a supplier for U.S. Central Command recently found stolen military laptops for sale on eBay. If you hold third-party data as part of a defense contract, you must encrypt all laptops and mobile devices that might contain military data. In fact, if your employees transport highly sensitive data on their personal devices, always require encryption and set up remote wipe access.
4. Balance Public and Private Cloud Deployments
Many companies, in an attempt to limit potential data breaches, have turned to private cloud deployments to segregate data storage. To find a balance, many companies store their most sensitive data within private clouds hosted in their own data centers, and they use public cloud storage for less sensitive information.
Although companies that use private clouds can also tap public cloud infrastructure for high-capacity needs, it’s not always easy for a company’s private cloud to interact with the public cloud. Companies like Eucalyptus are developing hybrid cloud solutions, making it easy to set up private clouds that can also communicate with AWS.
5. Demand Provider Transparency
As the customer of an outside cloud services provider, you have a right to know about security policies within the data center. You also have a right to know where your data is kept and whether your network is completely isolated.
If your CSP isn’t transparent about data storage and transfer, don’t hesitate to get a new CSP. You have a right to know not only where the CSP stores your data but also what happens to your data in transit.
via Steve Olenski @ Forbes