teissTalk: Control in the cloud - are your data transfers secure?

On 23 March, teissTalk host Thom Langford was joined Benoit Heynderickx, Principal Analyst, Information Security Forum (ISF); Ryan Cooke, Consulting CISO, Orum.io; Nick Hogg, Director of Technical Training, Fortra.

 

Views on news

The average company with data in the cloud has 157,000 sensitive records exposed to everyone on the internet by SaaS apps sharing features, representing $28 million in data-breach risk, according to a new report released Tuesday by Varonis.

 

The study, titled "the Great SaaS Data Exposure," examines the challenges CISOs face in securing platforms such as Microsoft 365, Box, and Okta, also found that 81% of organizations had sensitive data exposed in the cloud.

 

The problem often  lies in that the vast majority of IT teams, including security teams, simply having no idea how to actually secure the cloud. Corey O’Connor, director of products at DoControl, said for organizations to scale security in line with SaaS adoption and utilization, they need to first gain visibility into their SaaS estate. 

The security of data transfers

The question of data transfer security needs to be specified. First of all, there is the compliance aspect if you transfer data to servers under a different legislation, which is a moving target in itself. Another challenge is making your various non-technical teams aware of compliance issues.

 

There are now some very good, automated classification tools for identifying where data is, which will scan and locate data by classification. Meanwhile, some organisations simply draw a line and say, all data from today onwards is mandated to be classified. A hybrid cloud environment can be seen as the best of both worlds from a user’s perspective, but it results in double workload for the security and compliance teams. 

Although cloud providers will provide a reasonable level of security in the cloud, as companies move things around, configuration issues are bound to arise, although all the tools necessary for preventing that from happening are supplied by cloud providers. Automation can also take away a lot of the risk that configuration presents.

 

The unrepresentative Teiss poll showed that 60% of the audience does store sensitive information in the cloud. From the vendor’s perspective, however, auditors and assessments on them are lagging behind featuring questions such as “do you review your firewalls regularly?”, which is a question not applicable in a cloud environment. 

Data migration offers a good opportunity to inspect the data you’re transferring, as well as to label the sensitive bits. Endpoint DLP and compliance solutions can enable end users to migrate their own data to the cloud. Although encryption is key to data protection, it’s not a silver bullet.

 

However, you always need to be clear on how encryption is implemented. The cloud provider will encrypt the data in your bucket but for anyone to read the data, they’ll need the decrypted version. Typically, the keys are with the business, and they will have to mandate who can use them.  

The panel’s advice

Restrictive classification of data can create barriers for people trying to do their job. 

No one in the panel believes that AI can help with data classification any time soon. 

With automation, you can test your hybrid environment without interrupting critical operations.

Reviewing the security of terabytes of data in the cloud is challenging, but you can use review samples of data that are representative of your data estate.