A huge majority of businesses use cloud services in their day to day processes. The State of IT in the United Kingdom 2019 report found that 96% of SMEs use some form of cloud service.

Many people make the mistake of assuming that subscribing to a cloud platform of any kind will meet any security and compliance requirements they may have. In reality, out-of-the-box cloud services are unlikely to meet the necessary standards to keep your organisation’s information safe.

According to research by McAfee, 99% of misconfigurations in the cloud go completely unnoticed by the organisations using their services. This leaves an enormous amount of data at unnecessary risk of a breach.

A proactive approach to the safety of your data includes considering how well it is protected everywhere it is kept, including how well your security measures extend into cloud storage.

Sharing responsibility

Responsibility for data in the cloud is typically shared between both the cloud provider and the organisation using it. Service providers are will generally meet basic standards of security, otherwise they wouldn’t get much business.

However, it is your responsibility to make sure that you thoroughly understand the level of security they provide. Meeting basic standards of security doesn’t guarantee that a cloud provider is fully compliant with – or even fully aware of – any regulations specific to your industry.

You need to be satisfied that you are comfortable with their efforts and take steps at your end to defend any vulnerabilities a basic service doesn’t cover as standard.

Visibility is critical

Cloud services are so common now that many organisations actually use more cloud services than they are themselves aware of. In a survey by McAfee, a full 16% of respondents didn’t realise that they use multicloud services.

Asset management is just as important in the cloud as it is in your physical infrastructure. Knowing what data is in your possession, and where and how it is stored, is imperative in properly protecting that information.

You might, for instance, choose to keep highly confidential data out of your cloud infrastructure so that you have full control over its security.

What is a Cloud-Native Breach?

Many cybercriminals target cloud services because a successful breach will allow them to exploit the sensitive information of multiple organisations. Attacks have been developed specifically to exploit common vulnerabilities in cloud infrastructure that differ from typical malware infiltration.

Cloud-native breaches are more likely to exploit vulnerabilities without using malware. Instead they leverage weak credentials or take advantage of misconfigurations. Once they have gained access to cloud platform, they can access remote databases and capitalise on weak network controls to reach as much sensitive information as possible.

This can mean compromising the information of any organisation using the cloud service and is why it is essential to add your own layers of protection to anything you store in the cloud.

Integrating your approach to compliance

Finding a provider with robust policies on data protection is your responsibility. Critically evaluating how well your data will be protected by each provider you consider when adopting cloud services will allow you to make an informed decision that factors compliance into the equation.

Carefully auditing your data is a key part of compliance and is just as critical in your cloud-based information as your physical storage. Extend every measure you to take to catalogue and safeguard the data you store locally to the data you handle in the cloud.

Ensuring that the credentials you use to access service providers are secure, both through strong password policies and multi-factor authentication, can help protect against the kind of vulnerabilities often leveraged by hackers targeting the cloud.

Encrypting anything you keep in the cloud will keep it secure even if the service provider is hacked.

Despite the security measures cloud providers offer, from a compliance perspective the security of your data is still ultimately your responsibility.

 

Find out how ThreatAware can help manage, monitor and communicate your cybersecurity by scheduling a demo or signing up for a free trial.

Images from McAfee’s Cloud Adoption and Risk Report.