As more businesses move their workloads onto the cloud as part of their digital transformation journey, the concerns over data protection increase as well. CSA spoke to Rana Gupta, Asia Pacific Vice President for Cloud Protection and Licensing Activity, Thales to get his insights on where ASEAN stand with the rest of the world does when it comes to data protection.
According to Rana, with the proliferation of cloud-based services, businesses and other organisations are increasingly dependent on cloud providers. However, he said that what is troubling to see is the increasing disparity between the rapid growth of data stored in the cloud and an organisation’s approach to cloud security. Businesses are taking advantage of the cloud, but not applying adequate security to safeguard sensitive data stored on cloud platforms.
“In our Thales 2019 Cloud Security Study, we found that while nearly half (48%) of corporate data is stored in the cloud, only a third (32%) of organisations admit they employ a security-first approach to data storage in the cloud. Nonetheless, with rising awareness of cyberthreats and growing importance placed on safeguarding sensitive data in the cloud, we are seeing more organisations (72%) committing to implementing secure cloud strategies.”
More broadly, Rana explained that technological progress among ASEAN states is disparate, and some of the states still have a long way to go before they can be considered anything is approaching cloud-native. It is, however, promising to note that in recent years, countries in the region have been working towards building a stronger ICT industry by encouraging the widespread use of ICT in all sectors and developing a skilled ICT workforce.
Who protects data on the cloud?
As markets become digitally-led, businesses are seeing data stream in from multiple sources, channels and stakeholders. The management and storage of this sensitive data, amid a climate of stringent regulations and compliance requirements, has undoubtedly proved challenging. Businesses are struggling to reduce the complexity of managing privacy and data protection regulations in the cloud environment.
Interestingly, Rana pointed out that organisations coupled with concerns around integrating existing technologies and security solutions – together with the lack of skilled IT staff – organisations are increasingly transferring the responsibility of safeguarding data in the cloud to cloud providers.
“In fact, 35% of respondents we spoke to believe the cloud provider should be held responsible for the protection of sensitive information. This has also resulted in a lower priority placed on security when organisations select cloud providers.”
While cloud providers can offer a layer of security by encrypting data stored within their platform, organisations need to understand that data encryption is merely a strong deterrent for cyberattacks. Some additional security measures implemented by cloud providers include the installation of internal firewalls that limits access to data stored in the cloud so that bad actors do not have full access to the stored data, even in times of a compromise. Physical security, enhanced by biometric verification and surveillance, is also necessary to ensure the safety for on-site data centres. Cloud providers also need to safeguard the encryption key so that stolen data cannot be decrypted and exploited.
“Even with cloud-native encryption, we highlight to our customers that data security is a shared responsibility and everything that occurs in cloud compute instance operating systems, is in their hands – not just the cloud vendors.”
Are we responsible for breaches?
The Thales Data Security in Asia-Pacific 2019 Study revealed how 83% of organisations feel that security features of the public cloud are sufficient, and 60% of organisations are storing their sensitive data in the cloud owing to the trust in cloud providers.
Rana believes that this sentiment is predominantly driven by less mature organisations leveraging the public cloud for more suitable operational cost and growth elasticity benefits. In comparison, mature organisations take a more guarded and risk-averse approach with the use of a public cloud.
That said, Raid said an observation remains across organisations of different maturity levels – APAC organisations are still lacking in terms of cloud security awareness. Not only are they not encrypting data as diligently as they should, but they are also increasingly transferring the onus of safeguarding keys of encrypted data to their cloud providers.
However, transferring the responsibility of safeguarding the encryption keys to cloud providers does not mean the risk of breaches goes away – it simply means that the risk of using encrypted data rests on the shoulders of the cloud provider instead. In a nutshell: Whoever holds the encryption keys, owns the data.
“What organisations need to realise is that regardless of the cloud model or provider, the security of their business’ data in the cloud has to be their responsibility. Carefully review vendor-published security controls and service level agreements, and avoid outsourcing data governance responsibilities or think the provider will do this for you – it is a shared responsibility between the service provider and customer at the end of the day.”
He added that apart from the careful selection of cloud providers based on their security features, organisations have to ensure in-house teams keep a close eye on security posture and always retain control of encryption keys.
Picking a cloud provider
Rana said organisations are taking an operational approach to the selection of cloud providers, where the emphasis is placed largely on factors like efficiency and cost. More than 40% of respondents ranked these 2 considerations as the top 2 priorities when it comes to selecting a cloud provider. What is troubling is that security remains a backseat priority, despite 46% of respondents acknowledging that storing consumer data in the cloud makes them more of a security risk.
He explained there needs to be a shift in how organisations view security, from an operational consideration to a strategic priority that is integrated seamlessly into the wider operation of the business. To strategically blend the objectives of agile and secure management of cloud environments with the operational goals, organisations can look to cloud providers that can help them centrally manage and secure their entire cryptographic operations across all cloud platforms.
“The cloud provider should able to be able to support access management via different methods of authentication and different assurance levels. Organisations can match the level of assurance to the types of users accessing a resource, and require more than one factor of authentication for different groups. Users who need access to third-party servers may require stricter policies as their activities pose a higher risk to the enterprise. This gives organisations flexibility in scaling the deployment of cloud solutions without compromising on security.”
There are several ways organisations can protect their data. Here are a few suggestions from Rana:
Centrally and efficiently track activities of data in cloud environments by leveraging authentication management platforms that enable them to centrally define policies and control across both on-premises and cloud-based applications and services;
Adopt a centralised, efficient policy to manage encryption and keys company-wide, which streamlines the process of managing and auditing who and what has access to your sensitive data – wherever it goes;
Manage encryption keys internally ensures regulatory compliance and secure data from risks posed by privileged users. An effective key management solution also ensures that keys and their policies can be stored in an appliance that remains in full control of security teams, and not the storage administrators; and
Establish security teams led by independent CISO/ CSOs to work collaboratively with the operations team, thereby aligning on strategy, budget and technology goals.
“Since encryption keys pass through multiple phases during their lifetime like generation, storage, distribution, backup, rotation and destruction, efficiently managing these keys at each stage of their lifecycle becomes important. However, only 53% of organisations from our 2019 Thales Cloud Security Study are controlling the keys to encrypted data themselves, despite 78% saying it’s important their organisation retains control of the keys.”
To prevent unauthorised access and ensure that the encryption keys don’t fall into the wrong hands, Rana suggested having a secure and centralised key management comes handy. With the inherent ability to safely store and manage all the encryption keys centrally, securely and efficiently, organisations can uniformly view, control, and administer the encryption keys for all their sensitive data.
Whether data resides in the cloud, in storage, in databases, or virtually anywhere else, Rana concluded that this assures proper key governance, even when the data and people move from department to department within the organisation.