Cloud adoption has been growing year over year and is predicted to accelerate in 2016. Yet security remains one of the main areas of concern for most CIOs. Enterprise IT departments are dealing with infrastructure that is increasingly decentralized. One of the main benefits of the cloud is the ability for companies to delegate cloud access and allow self-service provisioning of infrastructure. Yet central IT, which is typically responsible for ensuring data security, can’t assume that everyone within the organization is aware of data policy or able to follow policy properly.
Cloud is not inherently more or less secure than any other platform, but the distributed nature of cloud provisioning makes it perhaps more challenging. But as with all security considerations, the ultimate factors to consider are:
- Limiting the exposure to potential breaches (attack surface)
- If breached, limiting the size and scope of data accessed (blast radius)
So what’s the track record for cloud security? CRN compiled a list of the top 10 data breaches in the cloud in the first half of 2015. Let’s look at two of the most notable data leaks in more detail:
- Two BlueCross BlueShield organizations (CareFirst breach and Premera), with a combined 12 million patients’ data affected
- Army National Guard, with nearly one million soldier service records exposed
Much as airplane crashes should be considered a combination of factors (see Malcolm Gladwell’s work on this topic as an example), most data breaches result as a failure of multiple controls or systems. Those control systems normally include security mechanisms, such as firewalls and encryption, as well as organizational policies, such as user/group access controls and infrastructure policies that must be followed. In each of these occasions, however, at least one policy violation contributed to the breach itself, or to the scale of the breach.
Blue Cross Blue Shield
BlueCross BlueShield (BCBS) is a nationwide group of 36 independent health insurance member companies, covering nearly 105 million Americans. Health care data is so crucial that it is subject to its own regulatory regime, HIPAA. HIPAA requires that PII (personally identifiable information) be stored in very protected ways.
However, both Premera and CareFirst had inconsistent data encryption across customer data. This meant that, while passwords were encrypted, other PII, such as names and addresses, were not. That data became public, and BCBS was forced to provide identity theft protection for nearly 12 million people.
A policy that both required and verified encryption across all customer data might not have prevented the breach itself, but it could have decreased the blast radius, saved millions in costs to BCBS and severely limited the data exposed.
Army National Gaurd
Most organizations, whether public or private, have their own sets of vendor relationships, negotiated with service levels, security controls and more. These contracts are typically negotiated in line with the organization’s policies and requirements. So the fact that the Army National Guard’s data breach stemmed from data being stored in an entirely unapproved data center, speaks directly to the lack of policy control within the organization.
Nearly one million soldiers’ identities were now available to hackers, along with service records. Despite the betrayal to public servants, this puts soldiers’ names, addresses and more potentially into the hands of those who may wish them harm.
In this case, policy violation was the direct cause of the problem. Having a policy to automatically reduce or eliminate unprotected attack surfaces would have been a strong deterrent against this type of breach.
Policy- Part of a Comprehensive Solution
Organizations should take a holistic approach towards protecting their data in the cloud. This protection should combine both minimization of attack surface as well as reduction of blast radius. Here a few ways to do this:
- Make sure you choose a cloud provider whose offerings align with your needs. For instance, if you require HIPAA, make sure that getting a BAA (Business Associate Agreement) with the cloud provider will be possible.
- Use best practices from the provider’s toolkit. Cloud providers offer varying tools, from firewalls to encryption, and guidelines for applying those tools in effective ways to meet different needs. Do some research and validate your security design both internally and externally.
- Educate your users. One of the greatest values of the cloud is the ability to enable various parts of the organization to get IT in a self-service model. Teams can move faster and be more productive than ever before. However, IT cannot expect all parts of the organization to understand organizational policies or follow them.
- Complete your security suite with an active policy enforcement tool. Implementing policies that ensure data security and compliance with existing standards, best practices and other organizational guidelines can guarantee that the benefits of the cloud are not lost because of potential data vulnerabilities that could be accidentally introduced.
- As the proliferation of the cloud continues, active policy enforcement can help organizations defend themselves against possible data breaches in the cloud. Policy can be used to minimize both attack surface and blast radius and bring greater peace of mind for enterprise IT departments.