While public cloud environments offer many benefits, it is essential to ensure the security of your data through constant monitoring.
In July 2021, information technology major IBM released the results of its annual study on data breaches. It found that data breaches now cost surveyed companies $4.24 million per incident on average – the highest in the 17-year history of the report.
Cloud computing is now central to most large businesses. Nothing illustrated its importance more starkly than the pandemic that hit the world and forced virtually all organisations to ask their employees to work from remote locations.
This has, however, once again fuelled a debate on the pros and cons of data security aspects of using private cloud versus public cloud services. In a private cloud environment, the company maintains its own data centres. As a result, it is fully responsible for the physical security of the servers and IT security in terms of identity management, access control protocols, identity protection, and encryption.
The most significant advantages that a public cloud offers are in terms of costs and scalability. It is cheaper to set up and is hence a preferred option of many large organisations. However, the Infrastructure as a Service (IaaS) provider manages physical security in a public cloud environment. It provides a level of basic IT security which clients can tweak to their preferences.
Here are some steps that organisations can take to enhance their data security while working with public clouds.
The basics, of course, remain the same, whether the cloud is public or private:
In addition, when using IaaS, it is essential to apply the following best practices:
Choice of provider
This is one of the most critical decisions that an organisation makes while using a public cloud environment. It is crucial to work with a provider who can deliver the best built-in security protocols and is transparent about them. Most of the largest cloud providers – Amazon Web Services, Google Cloud, Microsoft Azure and Alibaba – offer clients complete access to check their compliance and security certifications.
A reputed provider will also generally offer state-of-the-art physical security to protect a company's data assets and personnel managing the data centres that are properly vetted and tested.
Close review of contracts and Service Level Agreements (SLAs)
Even with the best service providers, it is essential to review all contracts and SLAs to ensure organisations know what they are paying for. There are two critical elements in such a review. The first is establishing complete clarity as to who owns the data. This may sound ridiculous, but it is a grey area in many contracts. The other element of such a review is to clarify which security tasks rest with the service provider and which are the responsibility of the user organisation. Lack of clarity on both these elements can lead to protracted disputes.
Such reviews should also include aspects of physical security and responsibilities towards the providers’ employees manning the data centres.
In-Transit Data Protection
Data security breaches often happen when malicious elements intercept data in transit between the servers and end-users. It is crucial for any company to work with its cloud services provider to implement security protocols that ensure that such in-transit data is encrypted and useless if it falls into the wrong hands.
Visibility and Control
For all large organisations, but especially those operating in sectors with very high data security compliance requirements (e.g. healthcare or financial services), it is vital that their IT security teams can monitor who is using their data, how and where. It is, therefore, important to work with the cloud services provider to establish this 24x7 activity monitoring.
Cloud Access Security Broker (CASB)
Most experts also recommend using CASB, a set of software systems that sit between the cloud services provider and the client. A CASB helps extend security control protocols, defends against sophisticated cyberattacks, offers malware protection and supports monitoring and mitigation of high-level risk events.
Moving to a public cloud environment offers companies many benefits in terms of costs and scalability. It, however, also requires eternal vigilance on data security to prevent grave financial, legal and reputational risks arising from any breaches.
Author: Vaibhav Pulekar
Deputy General Manager - Cybersecurity