The adaption of Software-as-a-Service and cloud solutions in general, is starting to become popular. However we are trusting these cloud providers with our most valuable asset, our data. Data breaches are happening all the time, as cloud providers are interesting targets for hackers who are after creditcard information or other sensitive information. Certain questions arise when you migrate your applications, and by doing this also your data, to the cloud. What can we do with data migrating to the cloud? What type of security measures can be taken? It is obvious that we (the good guys) need to be right 100% of the time, for the bad guys however, they only need to be successful 1% of the time. Krishna Narayanaswamy is Chief Scientist and founder at Netskope. He gave a talk about what data breaches are and how to prevent them while using cloud applications.
Ideally, the right security procedures and technologies need to be in place to ensure sensitive and confidential information is protected when using cloud resources. A first cause for data breaches is the fact that the majority of companies are circumventing important practices such as vetting the security practices of cloud service providers and conducting audits and assessment of the information stored in the cloud.
Another main cause for data breaches is the fact that more and more companies allow their employees to bring their own devices to work (smartphones, laptops and tablets). In the worst case, they allow (or do not actively disable) them to use devices to handle company data. Shadow IT is another main cause of data breaches.
A last cause which could trigger a data breach is a system glitch, which quite frankly is nothing a company can protect against if they choose to trust a cloud provider. Hence it is of vital importance, when selecting a cloud provider, to ask after the procedures and mitigations the cloud provider puts into place to protect their customers against data breaches due to system failures.
The causes mentioned above give rise to two types of data breaches: unintentional and intentional. Intentional data breaches happen when hackers or former employees actively attack a cloud provider and extract valuable company data from the cloud. Hackers bypass technology but former employees can simply use their unrevoked access credentials to access the cloud provider. It's thus of vital importance to ensure access rights are also enforced in cloud applications using the principle of least amount of privileges.
Unintentional data breaches happen when an employee leaks data by accident. For example, an employee is using a SaaS application, let's assume it is GMail. He needs to send a certain e-mail to a competitor with an attachment, an error is made and he chooses a file with valuable company data. This is classified as an unintentional breach, and the competitor now has the valuable data.
The multiplier effect
An interesting parameter to know when a data breach occurs is the economic impact it can have. A study executed by The Ponemon Institute and funded by IBM, shows that the cost of a data breach is increasing. It is estimated that the theft or lost of one customer record costs $145. Consider now a data breach were 10 000 customer records are compromised. This means that this data breach has an economic impact which is as high as: $145 x 10 000 = $1.45 Million. We call this the multiplier effect.
A simple approach could decrease this economic impact. For example, don't store backups in the cloud and reduce customer data that is stored in the cloud. A balance should be found in the risk of storing data in the cloud and the economic impact if a breach would occur.
Measure, analyze, act
Use solutions or metrics to rate cloud service providers, to check their enterprise readiness. For example, a file sharing service with a 'fake' download button which redirects you to an advertisement page is not an enterprise ready cloud service. Check for abnormal events happening and scan for anomalies to detect abnormal and possible malicious activities. A three-step solution would include: measure, analyze and act.
Measure the cloud services in your company, discover which applications are running. Analyze what these applications do at a deeper level. How do they handle your data, do they use secure network protocols. Are they deploying encryption in the cloud, who has the key for decryption etc. And lastly act. Plot a course of action based on risk, look at the usage of the service, is it critical? This is where the security strategy comes in to play and decides how to incorporate cloud services in the company and the extended usage of these services.
SaaS vendor responsibilities
In the SaaS model, the enterprise data is stored outside the enterprise boundary, at the SaaS vendor end. Consequently, the SaaS vendor must adopt additional security checks to ensure data security and prevent breaches due to security vulnerabilities in the application or through malicious employees. This involves the use of:
- strong encryption techniques for data security;
- hashing of sensitive login information;
- fine-grained authorization to control access to data and auditing access logs;
- off-loading sensitive information to dedicated servers.