Increasingly, companies are transferring (or preparing to transfer) their data and processing to cloud computing services. But all too often, they still think their files are safer than if they were stored locally. This can be a costly mistake...
Traditionally, data is stored internally. Cyber-attackers therefore need to compromise the corporate network before gaining access. Various techniques can be used. The two most common are malicious code hidden in an attachment (once the attachment is opened, the virus goes into action) or simply stealing logins/passwords.
Convinced that their data will be safer in a cloud provider's datacenter, companies are increasingly opting for this option. For VSEs and SMEs that don't have the resources (technical and human) in-house to ensure the confidentiality of their data, the cloud represents a godsend.
But this solution is not without risks. Last October, a global study by Thales/Ponemon Institute revealed that only a third (32%) of companies use a security approach that integrates data storage in the cloud.
We will never cease to remind you of three major points:
Don't neglect your responsibilities
The data a company entrusts to a hosting or cloud provider remains its property; it's up to the company to take all appropriate measures to secure it! However, according to the Thales study mentioned above, only one company in three (31%) considers that protecting data in the cloud is its own responsibility.
According to this study, almost half (48%) of companies have a multi-cloud strategy. The top three cloud providers are AWS, Microsoft Azure and IBM. On average, companies use three different cloud providers, and 28% use four or more.
Even though they regularly warn their customers, cloud providers focus solely on the security of their infrastructure. Noting that customers are not applying basic rules, some providers are increasing the default level of security by forcing companies to apply this or that measure.
Certainly, Article 28 of the RGPD states that processors (and therefore cloud providers) must offer sufficient guarantees regarding the implementation of technical and organizational measures.
Although cloud providers offer better security, they also provide customers with less insight into the security of their systems. Companies therefore need to implement appropriate monitoring measures...
Don't neglect the security of your data in your cloud
Not only developers, but also decision-makers and IT and security teams need to understand the types of data they are collecting and the requirements for storing and therefore processing it (with regard to the RGPD in particular).
But above all, we need to be extremely vigilant, especially when it comes to the cloud. As attacks become more automated, cybercriminals will multiply the number of infections and data breaches.
Numerous studies by Check Point, CyberArk, Darktrace, FireEye... indicate that ransomware will remain one of the main threats this year for all businesses, but also for hospitals.
According to Sophos, ransomware targeting the public cloud is set to multiply. They will target and encrypt data stored in Cloud services such as Amazon Web Services (AWS), Microsoft Azure (Azure) and Google Cloud Platform (GCP).
Don't skip a step
The cloud provider has a certain level of access to your data. This creates security issues that differ from those of a local infrastructure. With on-site servers and software, a company's main concerns are availability and internal threats. With cloud providers, a third party can gain access to your data, without you being able to detect them.
Applying field-based data protection can significantly limit the impact of insider threats, whether from employees or rogue cloud administrators.
Encryption and the use of tokens protect information while, in many cases, allowing normal functions to be carried out. Such as searches, without ever requiring plain text.
In conclusion, cloud-related security issues are still poorly understood by professionals, including developers. By understanding their responsibilities, knowing what data is being collected and applying security to the data, not just the system, companies can strengthen their resilience.
