Companies that added public cloud services and remote workers during the COVID-19 pandemic have discovered complications with compliance and an increased likelihood of data loss.
According to a recent study of 304 IT pros conducted by Enterprise Strategy Group (ESG), "The State of Data Privacy and Compliance," 57% of respondents said they believe more than 20% to half of their sensitive data already stored in the public cloud is likely insufficiently secured. Sixty-one percent of respondents said they have either lost data or suspect they have lost data.
The loss is largely attributed to human error, which has intensified due to remote work policies. One-third (36%) of respondents said data loss was indeed tied to remote users.
From a senior management perspective, cloud applications added during the pandemic could become another silo to hinder the business, albeit a silo at AWS or Azure versus one that lives on premises.
"Regulations are changing, architectures are changing and we are replacing our legacy apps with SaaS solutions," said Niel Nickolaisen, CIO at Sorenson Communications, a provider of video relay and in-person American Sign Language interpreting services in Salt Lake City, Utah. "Now, there is nothing on prem, and the data is in someone else's data center. There are more bad places for things to happen."
To address this challenge, IT pros need to adjust security and access policies, regardless of where data lives. "A well-architected environment between storage, compute and the cloud is directly tied into how companies manage compliance," said Vinny Choinski, analyst at ESG, a division of TechTarget.
Corporations need to act fast to secure data as any leak creates a sense of risk for their customers. After all, no one wants to do business with a company that can't secure its data. But today's distributed environments are moving targets that are likely managed by more than one department or even company. And the many different vendors that supply the SaaS applications now in use across these enterprises often focus more on providing service uptime rather than security. Securing the data that exists in those services -- and securing access to those services -- is still the user's responsibility.
The rush to digital transformation
The fact that enterprises have accelerated their data transformation projects underlies much of this heightened activity, but in many ways, the ecosystem can't absorb the changes. For example, while larger companies, such as AWS or Microsoft, may be set up to provide local services, others are not prepared for that level of service segregation, Nickolaisen observed.
In a perfect world, all service providers would offer regional instances of their services for those clients that want data to reside in specific geographies. This would be helpful in cases when a customer wants to replicate data in one region to another region using the same provider for each.
"That reduces my complexity and also improves my agility," Nickolaisen said. "If I make a change to my services, I simply replicate those, using the same provider services, to my different regions."
Regulatory instability also adds compliance complexity. GDPR rules, for example, are shifting sands that create uncertainty in what companies can and can't do. In the first version of GDPR, Nickolaisen said the way his company complied was that it had articulated in its EULA how it would use customer data. Customers were asked to opt in.
"Even in the EU or U.K., depending on what service they used, it was OK," he said. "Since then, it's not as airtight as we thought, and even the opt-in may be insufficient."
In-house security risks
The ESG study indicated other sources of cloud resident data loss that look beyond remote employees. Companies typically keep their most sensitive data in a data center, if for no other reason than they believe services providers face some of the same challenges that befall their customers, which include attacks that come from within. Control may not be worse, but there is a sense that they are now one step removed.
In one query with 177 respondents, 29% said cloud resident data loss was due to sensitive data from competitors being uploaded to IT-led cloud services. Another 29% of data loss came from data exposure from personal devices, while 25% came from use of unsanctioned cloud services. Though the accounts were fewer, 20% reported data loss due to malicious insiders.
To keep up to date -- automate
One expert said users can and should fight back through automation. Companies must look at every possible way to monitor and manage their infrastructure, which includes interconnectivity and access controls, as well as applications, said Andrew Plato, CEO of Zenaciti, a consultancy based in Beaverton, Ore.
Plato explained that automation makes compliance easier, not harder, in the cloud -- though he recognized that companies in the early stages of automation may find it more difficult. He recommended reaching out to cloud service provider representatives for help. They have the resources, the security and developer templates to help guide IT teams through the process, he said. Microsoft Azure, for example, publishes libraries of templates, blueprints and other documents around how to ensure privacy and security in Azure environments.
"Service providers want you to stay on their platform," he said. "They want you there consuming services. Anything you can pull off the platform -- and compliance and security are the biggest things -- they are there to help you."
But, he added: "They won't come to you. You have to ask."
The recent rush to put apps in the cloud likely falls hardest on the employees who built the local apps in the first place. People are beholden to what they've built, Plato said. The concern is they lose power when the app they've nurtured becomes a cloud service and they find their expertise, cultivated for years, is now irrelevant.
And some worry that the cloud offers less control, but you could argue that it's much more control. "It's finer, more granular control," Plato said. "People are the weakest link. You need to build around scripting and DevOps, where humans are less part of the equation."
Though regulations and compliance standards have certainly grown in complexity, there are also maturing technologies well suited to new remote security demands.
Remote access technologies can constrain and limit the scope of an attack when an endpoint is compromised, Plato said. Extended detection and response technologies can detect and monitor not only an attack, but also the related attacker reconnaissance and user behavior that contributes to a compromise, Plato added.
Both technologies work together to protect the endpoint.