As organizations move to the cloud, enterprise data is increasingly created, used and stored across a variety of SaaS and cloud-based service providers. While these services bring new efficiencies and, in some cases, improved platform security, they also bring new risks – and enterprise security teams need to know what goes on behind the curtain of their SaaS and cloud partners when it comes to how their data is protected.
Insider threat risk can easily grow by orders of magnitude and, even worse, this risk is almost completely invisible to the enterprise security team, which has no way to monitor, assess or reduce it. Organizations must ensure their customer and employee data, transaction records and intellectual property (IP) remain safe in the cloud. This requires organizations to demand transparency and accountability from each SaaS vendor about the details of their data security program.
Recently disclosed incidents at Facebook and Google have proven that even the largest, most technically advanced organizations can be vulnerable to insider threats. These incidents require organizations to reevaluate how they think about data risk. While it is easy to think of “moving to the cloud” in abstract terms, we must remember that for the vast majority of those services, there are real humans with access to data and systems that can have a considerable impact on an organization’s security. That risk only multiplies as enterprises adopt more SaaS apps and services.
Service providers already face a variety of regulations and requirements when it comes to protecting their customers’ data, from General Data Protection Regulation (GDPR) to the California Consumer Privacy Act (CCPA)—with more on the horizon. It is important to understand what these regulations cover, what they don’t and how they can be made stronger. Cloud customers also need to make sure that security measures are in place that focus on mitigating theirdata risk, not just the legal and regulatory risk of the provider.
Making Data Security a Cloud Differentiator
Enterprises may not have direct control over the insiders at their service providers, but that does not mean that they are powerless to protect their data in the cloud. Cybersecurity is already a priority for almost every enterprise SaaS and cloud vendor, and many treat security as a key differentiator. However, many of these security efforts focus on external threats, while risks from insiders remain a comparative blind spot. Many such services will be eager to bolster their insider threat protection and data security if they know it is a priority for their customers.
It isn’t enough for providers to throw out general security platitudes about adhering to security best practices. Enterprises should also require verifiable policies and controls that follow their specific data and assets. While the details will naturally vary from provider to provider, a few common considerations to help security leaders drive constructive discussions with their cloud providers could include:
- Are data controls appropriate for the data being protected? Traditional data security tools are often limited to controlling highly structured data such as databases of user information. However, SaaS and cloud vendors are increasingly in possession of a wide variety of data types. Providers need to be able to control and subsequently track what happens to all types of content or files that are created or stored in the cloud.
- Can the solution detect and block risky data usage? A service provider’s staff naturally will require access to sensitive customer data to do their job. Controls should be in place to ensure that data isn’t forwarded, copied or shared using any unapproved or risky applications or features. Likewise, security teams need to be able to identify any abnormal access, sharing or usage that could indicate malicious insider behavior.
- Can data be tracked and controlled on a per-user or per-customer basis? Many providers simply control access to specific repositories where customer data is held. However, this broad level of visibility may not be able to tell a specific customer if their data is being misused. The SaaS vendor needs to be able to track and document exactly where a specific customer’s data has traveled, not just all customer data.
- Can the solution provide auditing and reporting covering all the capabilities listed above? Ultimately, cloud customers will want to be able to verify that their provider is living up to their security responsibilities. As a result, security tools should make it easy for providers to audit risks to their data and validate that controls were properly applied.
Service providers and their customers will want to consider these questions when it comes to their data security in the cloud, but this is not an exhaustive list. However, these questions provide a good start that can help cloud vendors and customers work together on a security strategy that keeps data in the cloud protected from all manner of risks, including those caused by malicious or accidental actions.