Six cloud security issues organizations need to address

For many organizations, concerns about cloud infrastructure security are one of the main reasons why they are not so eager to deploy cloud technology. How justified is this concern?



Every day, IT departments have to deal with an increasing number of threats , take care of compliance with numerous legislative standards, and protect more and more data . And taking into account the fact that company employees often on their own initiative begin to use cloud technology, the number of requests to IT departments will increase, as will the number of projects that they will support.

At the same time, there is no doubt that cloud technologies bring great advantages, for example, they will help your organization:

  • bring new products and services to market faster
  • reduce storage costs and related infrastructure
  • provide access to business applications and information at any time, from anywhere and from any device
  • process, analyze and use data faster

Of course, the cloud helps to cope with the growing volumes of data generated in today's interconnected and highly competitive digital world. But what if YOUR private data ends up in a public cloud that you DO NOT CONTROL?

The good news is that you don’t have to give up new or ongoing cloud initiatives, all you need to do is make sure your team has an action plan that will help eliminate concerns about cloud infrastructure security and respond to next questions:

1. How to show that we control data in the cloud and comply with regulatory requirements?


To ensure regulatory compliance, organizations need to centrally, comprehensively, and effectively monitor any activity with regulated data - even if that data is hosted in cloud environments. In particular, this requires an authentication management platform that allows your company to centrally set policies and monitor compliance with them both within its own infrastructure and with respect to cloud applications and services.

In addition, organizations must have a centralized and efficient tool for managing encryption and encryption keys throughout the company. This allows you to optimize access control processes for your critical information, wherever it is, as well as simplify the process of appropriate audit.

2. How can we mitigate the risks associated with the storage of confidential data in the cloud and with the independence of this data?


We recommend that you discuss this specific matter with your legal department. It is important to understand that many specific countries and regions may have their own specific regulatory requirements governing where “sensitive” information can and cannot be posted. For example, before a federal government agency in the United States can transfer sensitive information to the cloud, it must ensure that the cloud service provider does not store or manage this data outside the country.

Similarly, in a number of European countries, healthcare providers will not be able to use the services of a cloud provider to store patient data if all the equipment from that provider is not exclusively located in that particular country. In Russia, there is also a requirement to store confidential user information on servers located within the country.

3. How to prevent cloud infrastructure administrators and other users from gaining access to our sensitive data?


Your organization should have a way to protect itself from threats from within companies and minimize the risks associated with malicious intent of administrators. It is your responsibility to make sure that even when working with multi-tenant public cloud environments, your team has sufficient tools and rights to protect sensitive data in order to prevent abuse by administrators of cloud service providers.

The same applies to cases where cloud services are used to host the SaaS application infrastructure. In addition, you should ensure that responsibilities are shared so that important administrative tasks, such as making policy changes or exporting keys, are performed by different administrators.

According to our survey of IT professionals in a number of leading global companies on data security issues hosted in the cloud:



4. How to control what data is provided access in the event of a judicial request?


In this case, it is very important to know what exactly is happening and to understand what data is accessed. If the court request is addressed to the cloud service provider, and your encryption keys are not controlled by you, then the service provider will be forced to transfer the encryption keys to the initiator of the request, be it a government agency or some other structure. Moreover, the request can be organized in such a way that the service provider can not even inform you.

If you control the encryption process in the cloud and own the corresponding encryption keys, you or your company may be forced to pass the keys to the requestor one way or another, but in any case you will know about it and you will have the opportunity to respond accordingly.

5. How to guarantee that, if necessary, your data will be safely deleted from the cloud?


In the case when you refuse the services of one provider and want to switch to another, or if you just want to remove your data from the cloud, you should clearly understand what the provider’s procedures are in relation to data deletion. Some cloud service providers may store their customer data until all bills are paid when the contract is terminated.

In addition, it is necessary to verify the proper deletion of instances and images of virtual machines that may contain sensitive information. Try to have a clear plan for avoiding the provider, which allows you to be sure that no data is left in the cloud.

6. How to centralize data security in different environments?


If your organization implements separate projects to fulfill various regulatory requirements, ensure data protection requirements in individual business units, or to eliminate security breaches, then you are not alone.

In this case, it is important to implement a centralized, unified approach to ensuring data security in cloud and on-premises environments. This will not only strengthen the security level of your organization, but also help reduce costs and increase business flexibility.


Are there answers to these questions in your organization, and what do you consider to be the main constraint that prevents your organization from moving to the cloud? Share your thoughts in the comments.

Also popular now: