More and more companies are being seduced by the advantages of the cloud. But this migration must not focus solely on cost reduction, flexibility and innovative solutions. Data security is becoming a major issue. And it's not just a question of software... The cloud needs to be integrated into risk management.
"The use of the public cloud is increasing rapidly, which inevitably leads to a greater number of sensitive items potentially at risk," warns Jay Heiser, vice president and head of cloud security at Gartner.
Whether it's a targeted attack, human error, application vulnerability or poor security practices, the result is always the same: business activity is impacted. Sensitive information can end up in the wild, or be exploited by competitors or the state.
Like any tool, it's how you use it that has consequences. Clearly, it's not the security of the cloud that needs to be called into question. It's the way companies use these services that is (or can be) problematic. Specializing in IT security, Threat Stack analyzed 200 companies using AWS.
Misconfigured AWS instances
The American firm found that 73% of them had at least one security misconfiguration, including unauthorized profiles for direct access to data in the cloud. Access Control Lists (ACLs) enable administrators to define and manage who has access to compartments and objects in S3.
But it seems that this practice leaves something to be desired... even at the US Army. In late 2017, California-based cybersecurity firm UpGuard had discovered a database belonging to the Department of Defense. Surprisingly, it had been misconfigured on an Amazon Web Services instance. But it's not just the military that's in the dunce's cap. Several major accounts (Accenture, Verizon and TigerSwan) have also accidentally left buckets containing confidential data exposed on the Web.
As instance configuration problems, particularly with AWS S3 (Simple Storage Service) instances, multiply, Amazon has redesigned its interface to better notify administrators which instances are publicly accessible on the Internet. The US giant has also configured some important settings by default.
This example from AWS confirms that companies are poorly (in)trained to manage data in the cloud. The risk is all the greater in view of their responsibility.
Risk management: Shared responsibility
Contrary to popular belief, responsibility for certain aspects of IT security is often shared between the cloud service provider and the customer. This division of responsibilities is likely to vary depending on the service model (IaaS, PaaS, SaaS...).
For example, SaaS providers ensure that their applications are protected, and that data is transmitted and stored securely. But this is not usually the case with IaaS. For example, a company has full responsibility for its AWS Elastic Compute cloud (EC2), Amazon EBS and Amazon Virtual Private cloud (VPC) instances, including operating system configuration, application management and data protection.
It is therefore essential that the team responsible for IT maintenance and security understands and masters these issues. Cloud providers offer a range of security tools (firewalls, identity and access management systems, IPS/IDS...). So don't hesitate to use them.
RGPD and cloud contracts
But IT security shouldn't be limited to hardware and software solutions. Applicable from May 25, the RGPD insists on the co-responsibility of the company and its service providers. Subcontractors must ensure that data has been collected with the explicit consent of users. They must also implement security processes.
On the other hand, Article 26 of the General Data Protection Regulation reminds us that the company director remains responsible for the processing of personal data. He or she must therefore make sure of the guarantees provided by his or her subcontractors in terms of data protection. It is advisable to have a lawyer check the contracts of cloud service providers to ascertain the presence or otherwise of clauses specific to the RGPD.
Encrypt your data
Focused on optimizing the development phases of their products or services using the cloud, many companies fail to encrypt their data! According to RedLock, an American company specializing in cloud security, 82% of databases in the public cloud are not encrypted. Storing sensitive information in the cloud without an encryption solution is dangerous. It can jeopardize a company's business and expose the personal data of its customers, prospects and employees. Remember that in the event of a private data leak, every company must notify the CNIL within 72 hours (RGPD).
Wherever possible, companies should retain control of encryption keys. While it may be possible to give cloud service providers access to the keys, responsibility for the data again lies with the organization.
Another oversight due to a lack of corporate awareness is the absence of multi-factor or two-factor authentication. This solution helps to limit the risk of identity theft and better control access to the cloud. But here too, Redlock found that 58% of root accounts do not have multi-factor authentication enabled.
The Cloud Act
All these measures help to strengthen data security, but above all data confidentiality. This objective should become a priority with the arrival of the Cloud Act (Clarifying Lawful Overseas Use of Data Act).
Unveiled in early February 2018 by the US Congress, it aims to make it easier for law enforcement agencies to access data stored on servers abroad, regardless of the country in which people live or the location of the data. In other words, an American judge could give the go-ahead for his country's authorities to access emails or files hosted in a Gafa datacenter in France.
Data governance
The cloud is forcing companies to establish a formal information governance framework. This mission can be carried out by a CDO (Chief Data Officer). He or she will have to develop the strategic vision and determine the stakes involved in acquiring and exploiting the company's data. His cross-functional position will encourage the evolution of the entire organization towards a Data-Driven logic (which implies the cloud).
This formal framework will detail :
- Rules: definition and evolution of administration rules ;
- Roles: distribution of responsibilities among the various players ;
- Control: setting up mechanisms to ensure that established rules are applied;
- Risks: assessment and management of risks and threats linked to "useful" data (including personal data): theft, loss... In other words, everything to do with cybersecurity from a technical point of view, but also from a regulatory point of view (compliance with the RGPD).
