Text transcription
Four Critical Steps to Better Cloud Security
Shawn Connors, PwC September 27, 2019
Organizations aren’t the only ones migrating to the cloud. Cybercriminals are going there, too, drawn by ever-increasing troves of valuable data. The challenge: how to protect it all. Cloud computing offers speed, agility, scalability, and convenience. By 2025, enterprises will be doing as much as 80 percent of their work in a cloud environment, one report predicts. That’s a lot of data —much of it highly sensitive—to leave unguarded, but many organizations are doing just that. Unclear about who’s responsible for securing cloud- hosted files, data, and applications under shared responsibility models, entities turn a blind eye to risk. With the cloud host providing so many services, they assume that security is taken care of, as well.
Who’s Minding All the Data in the Cloud?
According to McAfee, some 21 percent of files in the cloud contain sensitive data, including financial records, source code, and trading algorithms. Who’s minding all this data? Clients and customers entrust companies with their most personal information. It’s incumbent on companies to protect it. And indeed, U.S. law and laws in other countries—the European Union’s General Data Protection Regulation, for example—place the liability for compromise of this data squarely on the shoulders of the organization that “owns” it. If a breach happens, the entity storing the information is subject to lawsuits or penalties, not the cloud provider. The New York Department of Financial Services recently issued new cybersecurity requirements for third- party service providers to financial services companies. Other regulatory entities are expected to follow this trend, heightening scrutiny and tightening the screws on heretofore- unregulated service providers. But, as with the NYDFS, agencies will most likely place the onus on the organizations contracting with these providers to be diligent and vigilant regarding third-party security and privacy practices. There should be no confusion about who is responsible for keeping sensitive information safe.
Balancing Speed and Security
So should companies be doing more to ensure that the cloud environment they’re using is sufficiently secure? The answer would seem to be yes. Seduced by the promise of doing business faster and at a greater scale, organizations may turn a blind eye to the risks they incur by moving to the cloud. Sure, cloud providers do use sophisticated security measures to repel cyberattacks. And they update their technologies regularly, so enterprises don’t have to. Cocooned against intrusions or so they think— these entities forget that the cloud’s enormous quantities of data and vast attack surface make it at least as alluring to hackers as it is to businesses. The cloud’s strengths— speed and convenience—could also be seen as weaknesses. Too many organizations, lulled into a false sense of security, fail to check their cloud providers’ safeguards or to supplement them with capabilities of their own. Complacency is bliss, it seems—until a breach happens, and organizational reputation, revenues and profits are subject to significant exposure. This is the one-two punch we need to truly protect our most valued resources: the people and entities we serve.
Cover your Assets: What You Can Do Now
Race car and sports car manufacturers use high-performance brakes to let their vehicles travel as fast as possible —so that, when their drivers need to stop, they can do so quickly and safely. In the same manner, organizations must design safeguards in their cloud environments at the governance level. The difference between “risk” and “threats” can be subtle, but important. Here’s an analogy: Risk is what we encounter when we cross the street: If a car hits us, we could become injured. Threats are the possible manifestations of that risk, such as a driver speeding through the red light, coming directly at us, perhaps not seeing us because they are using their phone. We can’t manage the threat, in this instance. We can’t force the driver to slow down, or to put down their phone and look at us. We can manage the risk, however, by making sure the street is clear of oncoming traffic before we cross. A four-step strategy for minimizing your cloud risk:
-
Incorporate cloud governance into your overall risk governance program
Too many organizations treat cloud governance as a separate entity, assuming that the cloud provider is protecting their sensitive information. This mindset dates back to just a few years ago, when many used on-premises servers and internal, for-our-eyes-only cloud environments and IT merely supplemented business operations.
In today’s “connected age,” the on-prem model is quickly becoming obsolete. Stakeholder expectations and enterprises’ own business models demand instant access to services and data, which the cloud provides.
With the cloud having become an essential component of business operations, it’s imperative to fold cloud governance into overall organizational risk governance. Only then can the enterprise bring its full resources to bear on securing its cloud-hosted data and applications from unauthorized access.
-
Plan for the worst
Being prepared for worst-case scenarios can enable an organization to respond quickly to threats and minimize damage to the business and the bottom line. Organizations should already be doing this, and many are doing so in their risk governance/risk management practices. But moving to the cloud ups the ante: the old on-prem risk paradigms don’t transfer to this new, complex ecosystem.
Businesses must envision a malware attack, DDOS attack, or data theft on the massive scale that the cloud affords, and design their processes and systems to withstand such an attack with minimal disruption to the business.
Four Critical Steps to Better Cloud Security
Shawn Connors, PwC September 27, 2019 Organizations aren’t the only ones migrating to the cloud. Cybercriminals are going there, too, drawn by ever-increasing troves of valuable data. The challenge: how to protect it all. Cloud computing offers speed, agility, scalability, and convenience. By 2025, enterprises will be doing as much as 80 percent of their work in a cloud environment, one report predicts. That’s a lot of data —much of it highly sensitive—to leave unguarded, but many organizations are doing just that. Unclear about who’s responsible for securing cloud- hosted files, data, and applications under shared responsibility models, entities turn a blind eye to risk. With the cloud host providing so many services, they assume that security is taken care of, as well.
Who’s Minding All the Data in the Cloud?
According to McAfee, some 21 percent of files in the cloud contain sensitive data, including financial records, source code, and trading algorithms. Who’s minding all this data? Clients and customers entrust companies with their most personal information. It’s incumbent on companies to protect it. And indeed, U.S. law and laws in other countries—the European Union’s General Data Protection Regulation, for example—place the liability for compromise of this data squarely on the shoulders of the organization that “owns” it. If a breach happens, the entity storing the information is subject to lawsuits or penalties, not the cloud provider. The New York Department of Financial Services recently issued new cybersecurity requirements for third- party service providers to financial services companies. Other regulatory entities are expected to follow this trend, heightening scrutiny and tightening the screws on heretofore- unregulated service providers. But, as with the NYDFS, agencies will most likely place the onus on the organizations contracting with these providers to be diligent and vigilant regarding third-party security and privacy practices. There should be no confusion about who is responsible for keeping sensitive information safe.
Balancing Speed and Security
So should companies be doing more to ensure that the cloud environment they’re using is sufficiently secure? The answer would seem to be yes. Seduced by the promise of doing business faster and at a greater scale, organizations may turn a blind eye to the risks they incur by moving to the cloud. Sure, cloud providers do use sophisticated security measures to repel cyberattacks. And they update their technologies regularly, so enterprises don’t have to. Cocooned against intrusions or so they think— these entities forget that the cloud’s enormous quantities of data and vast attack surface make it at least as alluring to hackers as it is to businesses. The cloud’s strengths— speed and convenience—could also be seen as weaknesses. Too many organizations, lulled into a false sense of security, fail to check their cloud providers’ safeguards or to supplement them with capabilities of their own. Complacency is bliss, it seems—until a breach happens, and organizational reputation, revenues and profits are subject to significant exposure. This is the one-two punch we need to truly protect our most valued resources: the people and entities we serve.
Cover your Assets: What You Can Do Now
Race car and sports car manufacturers use high-performance brakes to let their vehicles travel as fast as possible —so that, when their drivers need to stop, they can do so quickly and safely. In the same manner, organizations must design safeguards in their cloud environments at the governance level. The difference between “risk” and “threats” can be subtle, but important. Here’s an analogy: Risk is what we encounter when we cross the street: If a car hits us, we could become injured. Threats are the possible manifestations of that risk, such as a driver speeding through the red light, coming directly at us, perhaps not seeing us because they are using their phone. We can’t manage the threat, in this instance. We can’t force the driver to slow down, or to put down their phone and look at us. We can manage the risk, however, by making sure the street is clear of oncoming traffic before we cross. A four-step strategy for minimizing your cloud risk:
-
Incorporate cloud governance into your overall risk governance program
Too many organizations treat cloud governance as a separate entity, assuming that the cloud provider is protecting their sensitive information. This mindset dates back to just a few years ago, when many used on-premises servers and internal, for-our-eyes-only cloud environments and IT merely supplemented business operations.
In today’s “connected age,” the on-prem model is quickly becoming obsolete. Stakeholder expectations and enterprises’ own business models demand instant access to services and data, which the cloud provides.
With the cloud having become an essential component of business operations, it’s imperative to fold cloud governance into overall organizational risk governance. Only then can the enterprise bring its full resources to bear on securing its cloud-hosted data and applications from unauthorized access.
-
Plan for the worst
Being prepared for worst-case scenarios can enable an organization to respond quickly to threats and minimize damage to the business and the bottom line. Organizations should already be doing this, and many are doing so in their risk governance/risk management practices. But moving to the cloud ups the ante: the old on-prem risk paradigms don’t transfer to this new, complex ecosystem.
Businesses must envision a malware attack, DDOS attack, or data theft on the massive scale that the cloud affords, and design their processes and systems to withstand such an attack with minimal disruption to the business.
Project Details
Provocative thought-leadership pieces on technology, cybersecurity, and privacy are among my favorite kinds of work. This article on cloud security that I wrote in fall 2019 with PwC consultant Shawn Connors was ahead of its time — pre-COVID, when remote work spurred organizations to increase their cloud presence and, at the same time, cybercriminals stepped up their activity. To write this, I and my manager, Cristina Ampil, head of the Cyber and Privacy Innovation Institute at PwC, interviewed Mr. Connors; his remarks, along with my supplemental research, gave me the material I needed. He and we then worked together to refine and craft the top-notch result that meets PwC’s exacting standards.
Client: PricewaterhouseCoopers
Format: Article