Protecting the cloud - a GDPR issue that can't simply be outsourced
Protecting the cloud - a GDPR issue that can't simply be outsourced

Adoption of cloud services and cloud-based apps has continued to grow steadily over the last few years, as businesses take advantage of the ease of access and increase in storage it provides. But the increase has brought with it a false sense that any data or application based in the cloud is automatically secure. In turn, placing businesses and their customers at risk of a potential data breach.

The General Data Protection Regulation (GDPR) is now less than a year away, so time is running out for companies to ensure they are choosing service providers that are compliant or face a potential fine. According to recent research, businesses in 2017 are expected to use an average of 17 cloud applications to support their IT, business, and operations strategies. With this increasing reliance on cloud applications, businesses must start taking the issue of security in the cloud seriously. They can no longer have a ‘head in the sand' mentality and must start asking the right questions about the service providers they are looking at.

Taking the right steps

The first step a business must take is to assess its cloud requirements and then select a provider that suits those needs. There isn't a one size fits all approach. Each business is different and the amount of data stored, and the way it's used, will vary a lot. Spotify, for example, chose Google because it was looking for a company with data processing expertise. Businesses are choosing Microsoft Azure as it is taking on-premise enterprise solutions into the cloud, offering companies the opportunity to access guaranteed best practices, instead of leaving internal IT teams to keep up.

Once a business has chosen its provider, the next step is to focus on ensuring the data is secure. This means controlling who has access to the data and then protecting the data from people who don't have access.

The most effective way is by implementing the following protocols:

For access management in the cloud

-          Cloud Single-Sign-On: Single sign-on (SSO) provides the capability to authenticate people once, and thereafter be automatically authenticated when they access connected resources. It eliminates the need to log in and authenticate to each app and system separately, essentially serving as a bridge between the user and the applications.

-          Protect identities and granular access policies: Different applications will require different levels of trust, depending on the sensitivity of the data they hold. By enabling different policies, businesses can control who, and how many people have access to each resource. Ensuring the identity of people using the applications could come in the form of two-factor authentication, controlling who has access by something they have (a phone) and know (code/password).

-          Optimise access policies with data-driven insights: To determine if a level of trust is too strict or too lenient, companies can turn to data-driven insights. By incorporating statistical data into their access policies, companies can implement the right risk management strategy, and find the best balance between security and the usability expectations of their employees.

-          Ensure scalability of the cloud estate: It's vital that any access controls that businesses put in place are scalable as they as they must meet the needs of the user and application needs, without impacting performance.

Protecting the data at its source

-          Encryption: Implementing encryption renders a business' data unreadable and therefore unusable to anyone that the company has not allowed to access it.

-          Encryption key management: The keys created in the encryption process must be stored securely, preferably in hardware, to prevent them from being stolen. These help unlock the encrypted data, but only by those that are allowed to access them and the data.

Currently businesses operating within the EU don't need to reveal when a breach occurs. This is all set to change though with the introduction of GDPR in May next year. It means the companies that have previously been able to sweep breaches under the rug, will no longer be able to do that.

Moving forward, if a company is hacked and found to have not put in appropriate security protocols it could face hefty fines. The regulation recommends up to four percent of annual turnover or €20 million, whichever happens to be greater.

The cloud, if done right, can offer businesses better security than they would have been able to afford working by themselves. This security is worthless though, without the proper authentication, encryption and key management tools. Once this is in place, businesses can be confident their data is secure no matter where it is stored and the risk of a data breach has been reduced.

Contributed by Joe Pindar, director of product strategy, Gemalto.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.