Migration to the cloud has accelerated in the post-pandemic hybrid work world and more recently as companies battle inflation and rising real estate costs.
“Why would you rent a huge building and pay to house all this equipment for scalability and backup purposes?” asks Vito Nozza, principal consultant for ConvergeOne’s cyber security practice. “You could send it all to the cloud and save money, on so many levels.”
However, one big mistake IT leaders make when they move to the cloud is assuming that cloud providers are securing their data, and subsequently, they believe they can relinquish their responsibility or accountability for it. “That couldn't be further from the truth,” says Nozza.
Security and privacy are not limited to the data located on-premises. It applies to all your data in the cloud, too.
IT leaders must keep cloud data confidential and protect its integrity, ensuring no one can change it. A good compliance program can help prevent your data from being altered and keep your data from being compromised. Data should be properly stored, monitored, and encrypted, and your cloud service provider should provide you with the keys to the kingdom so to speak for encrypting, says Nozza.
Cloud providers can house your data, ensure that it remains available to you, but they should not have access to it. Ensure your data is being transferred to the cloud in a secure manner, and when it gets out to the cloud, be sure you’ve locked down who can access that data. This is especially important for confidentiality of data in healthcare, retail credit data and financial services.
The CIA triad (confidentiality, integrity, and availability) is an ideal model for the importance of IT security. “If any of those three elements are missing in your cloud storage, then you failed your data strategy,” says Nozza.
When migrating to the cloud, leaders would be wise to evaluate their security posture, advises Nozza. This means ensuring that you understand the information you're housing in the cloud and understand your risk tolerance of losing that information. Knowing your company’s ecosystem and the data/information that make it operational viable is key to protecting the right assets.
For instance, ConvergeOne uses a risk management program to understand critical assets and the impact of losing those assets. It determines how much data can be lost before it must be backed up. The executive leadership and board members approve that security posture. Smart leaders will ensure their cloud partner has the same security posture as they do - if not better.
Remember, the cloud is an extension of your network, so it’s important to prioritize your data and risks. Understanding what your critical assets are and how to properly protect them is key. Very few companies have a good data classification model, which involves protecting or privatizing the proper assets to ensure continuous operations, says Nozza.
“Knowing which assets are critical to your company and which are at a lower priority can help ensure security funds are allocated properly,” says Nozza. “Too many times, I have seen costly controls being used for data that is essentially…public knowledge.”
Ensure that your cloud provider gives you the right to audit your data. Most often they'll allow you to look at some of their audit reports to ensure that they're certified by providing industry specific certification for example HIPAA (healthcare) or PCI-DSS (retail). Most likely a good cloud provider will have SOC2/Type2 and/or SSAE-18 attestation audits available for you to view. Some will allow you to audit your slice of the cloud, but never the entire infrastructure. You can empower your organization by creating a data compliance program, where you determine how critical each dataset is to your organization, whether it’s high, medium, or low. A good data compliance program can be helpful, and if compromised, it can assist in determining who had access to that data.