Did you hear the one about the jewelry store? Unfortunately, this story is no joke, with no punchline (unless you call a cloud security failure perpetrated by a disgruntled ex-employee a punchline).
This fail in cloud security occurred to a jeweler’s corporate DropBox account when the account’s email contact was switched to the personal email of an ex-employee. The change, unbeknownst to the jeweler, occurred when the employee left the company for a competitor. The ex-employee took with them access to a treasure trove of competitive data while simultaneously locking the original employer out of their own DropBox account.
It’s not just small businesses that expose themselves to a cloud data breach, either. According to TechTarget, sensitive data was exposed over the internet from these companies and many others, thanks to “user error and misconfigured [Amazon] S3 buckets.” In the article, 451 Research Analyst Fernando Montenegro commented that the situation was akin to “leaving your door open, and guess what? Your stuff gets stolen — or, in this case, copied.”
Want to hear a startling prediction about cloud security? According to a Gartner Research report sponsored by Iron Mountain, analysts predict that, “Through 2020, 95% of cloud security failures will be the customer’s fault.”
But, isn’t security in the cloud the provider’s responsibility? Yes and no.
If your organization uses public cloud services that fall more under the category of Software as a Service (SaaS) — such as services for cloud backup, disaster recovery, cloud email etc. — much of the responsibility to secure your data running on the software “stack” and its underlying hardware does fall on the SaaS provider. If you use other types of cloud services, such as Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) to host your own applications, more of the responsibility to secure those applications falls on you.
When it comes to successfully securing your data in their cloud, providers of public cloud services have a “shared responsibility” model; part of the responsibility falls on your organization (as the customer) and part of it falls on the cloud provider.
To help you stay out of trouble, look for cloud providers who specifically spell out their responsibilities and your responsibilities in these areas. Also, to help in your organization’s own efforts to avoid security loopholes, seek providers with mature tools and enough breadth, depth and experience in both best practices and the protection of customer data. Providers should also offer, as part of the service, dedicated secure VPNs and data encryption, in transit and at rest, along with geo-resiliency between multiple, provider-owned, secure data centers.
Lastly, look at common weak points surrounding Identity and Access Management (IAM), Federation, encryption, access control and authentication. Develop policies that encompass secure data management of all data resources, including those in the cloud.