The Cloud Hanging Over Information Security (article)
Cloud-based software services offer plenty of benefits for companies. They tend to be more cost effective than traditional software because systems can be updated remotely and with limited downtime. The cloud also provides a more efficient venue for creating new products or services by allowing remote collaboration. From a cybersecurity perspective, however, cloud software presents a logistical nightmare.
Many organizations use multiple cloud providers for their various applications and functions, from marketing to file sharing and data storage. A survey conducted by IHS Markit Ltd. found that medium to large-sized companies use an average of eight different cloud providers. Having multiple cloud providers may make individual services more efficient, but it creates more work for information security teams because of the additional complexity with user permissions, data transfers, and system configurations.
Cloud Providers & User Permissions
User permissions play a significant role in protecting data. Also referred to as logical security, these permissions ensure that only the individuals who need access to the most sensitive types of data can get to it. Logical security for cloud software should be configured the same as other types of data storage systems, with tiers of access where only a small number of “power users” have administrative rights and access to all of the data within the system.
Cloud systems complicate logical security because of the volume of user permissions they could potentially create. By some estimates, having multiple cloud systems in place results in thousands of user roles or privileges. Monitoring user permissions is essential to cybersecurity. CISOs and IT security personnel need controls in place to freeze logins or access rights in the event someone’s user login is compromised or if the employee’s role changes. For a terminated employee, if permissions are not deactivated prior to or on their termination date in a cloud based system, the employee would still have access into the cloud based system remotely from their home; thus potentially exposing the data to unauthorized changes or complete destruction. As one online university discovered in 2017, when controls are not in place that can freeze user access, it makes the cloud system and all the data it houses vulnerable to information security threats, both those from outside parties and from internal users.
Cloud Providers & Data Transfers
Another potential pitfall with the increasing use of cloud software involves transfers of data to and amongst cloud providers. Many companies, for example, are using a hybrid approach to data storage where they have private on premise servers and public cloud storage solutions. The various systems a company uses for its applications and business functions need to be able to securely “talk” to one another to protect the transfer of data among the business functions from unauthorized access or disruption. Because many cloud providers have multiple locations, companies typically do not know where their data resides and thus may have little to no knowledge of the level of physical security surrounding the cloud based servers.
Multiple cloud providers mean multiple sets of controls over data and communication, each tailored to the unique risks and configuration of the cloud provider. Information security teams need protocols and controls in place so that each data transfer scenario is adequately protected and includes detective controls to alert management of any suspicious activity or control failure.
In a recent survey of IT security and compliance professionals, information security company Fugue found that system misconfiguration was among the top concerns companies had about their cloud-based services. System misconfiguration often comes down to human error, and one mistake could have disastrous consequences, like the mistake that led to a significant outage with Amazon’s cloud storage solution.
System misconfiguration can also be complicated to address because there is likely three parties involved with the user access to disrupt the system, the company itself, the hosted data center where the servers reside, and the third party cloud provider. A company needs both internal controls for system configuration and an understanding of the hosted data center and third party controls over its server and application configuration, so that if a disruption were to happen, the company would be notified of the issue and could take the appropriate steps to secure any data that could potentially be compromised by that configuration issue as well as notify their customers in a timely manner of a security incident, if applicable
Solutions on the Horizon
The trend toward using multiple cloud providers doesn’t appear to be slowing down, and may give rise to a new type of cloud arrangement where a third party provides services to manage cloud provider relationships. Companies may also invest more in application programming interfaces (APIs) to allow for the secure and easy transfer or data among different applications and systems.
Given the work on the back end that goes into protecting and monitoring cloud provider data, Chief Information Security Officers (CISOs), and other information security personnel should be involved in conversations around additional cloud arrangement services. Cloud providers may offer convenience for some functions, but protecting them comes with complexity, and with that complexity, comes significant cost. There should be solid controls in place and assessed annually by companies as it relates to the risk and usage of cloud providers.
For More Information
If you have any specific comments, questions, or concerns about cloud services and information security, please contact us.
Copyright © 2018, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).