Security and compliance in the age of cloud-first working

Steve Whiter, Director, Appurity, explains why cloud-first working is officially here to stay.

While migrating to a cloud-first strategy has been the ultimate goal for many businesses and organisations for a number of years, it’s undeniable that the COVID-19 pandemic has expedited this shift. In fact, Forbes found that 73% of surveyed enterprises accelerated their move to the cloud due to widespread remote working brought on by the pandemic.

But supporting the shift to remote working is not the only factor businesses are considering when moving to the cloud. A Deloitte survey of more than 500 IT leaders and executives in 2020 found that data and security protection was the number one motivating force behind these surveyed companies’ decisions to start migrating their organisational operations to the cloud.

It is generally accepted that the security provided by cloud service providers (CSPs) is inherently more secure than data stored on-premise. And while the security provided by CSPs is high – with their built-in firewalls and a high degree of redundancy – adopting a completely cloud-centric way of working still comes with concerns and questions about privacy and security, especially where this relates to the use and handling of data.

It was once the case that businesses only needed to contend with their own internal policies surrounding data management. But in recent years there has been a seismic shift in how data is expected to be managed and handled, to the point where governments and political blocs introduced legislation, such as the EU’s GDPR, to ensure the highest levels of data security, invariably raising the stakes for any business that handles and stores data.

And it’s not just GDPR that businesses need to comply with. There are various data management and protection requirements that exist across a number of industries and localities: The Payment Card Industry Data Security Standard (PCI DSS) within the financial industry, the Health Insurance Portability and Accountability Act (HIPAA) in the healthcare industry, and even the California Consumer Privacy Act (CCPA) – often described as the Californian GDPR.

In an age when many aspects of a business’s operations can be outsourced – IT, communications, even legal affairs – when it comes to compliance, the buck stops with the business in question. Failure to adhere to compliance regulations can mean severe penalties, which are serious and expensive. In other words, any business leader’s nightmare.

Compliance in the Cloud: How?

Ultimately, compliance with various data protection regulations such as those outlined above means meeting the dictated standards on how data is held and managed. These regulations can be broad in scope and incorporate a number of facets, for example: who handles data and where in the world are they, how effectively can organisations produce audit trails on demand, how are information assets classified, and what are the policies organisations have internally for proactive data protection?

Visibility is Key

Ensuring a secure and compliant cloud system for handling and storing data starts with visibility.

Even popular SaaS solutions such as Microsoft 365, Dropbox or Salesforce, with their inbuilt security, have blind spots. And it’s often the case that many SaaS solutions do not operate behind a single pane of glass, or where they do, such features are only offered at the highest purchase level, perhaps putting them out of reach for SMBs. This inevitably means auditing reports become a burdensome, time-intensive task for data protection officers or IT leaders as they piece together necessary auditing data from a variety of sources.

Additionally, the rise of shadow IT has caused a headache for many business and IT professionals, who are playing catch-up with monitoring the ever-expanding use of out-of-scope apps – especially in the case of organisations with personal device or BYOD policies. But, naturally, productivity and user experience cannot be compromised when adopting security and data solutions. Employees and users across all levels of organisations need access to data regardless of where in the world they are located or what device they’re using.

Adopting a Cloud Access Security Broker (CASB) solution can optimise visibility across an organisation, by monitoring all user activity within cloud applications – both company-approved and shadow apps – and enforce internal policies and external, industry compliance requirements. A CASB solution should additionally be adopted as part of a wider SIM/SIEM solution for the ultimate in forward-looking, secure data collection, monitoring, and consolidation.

Many CASB solutions, such as the one provided by Censornet, are built with compliance in mind – by providing granular visibility and control over user interaction with cloud applications and comprehensive audit trails of such user activity, all operated behind a single pane of glass for centralised control, management and ease of use.

Protect Against Potential Data Breaches

Taking compliance and data protection seriously is not just about making sure the boxes are ticked, but also requires a proactive approach to data management: understanding where potential data breaches exist and eliminating them at the source.

The risk of infected or malicious files making their way into the cloud, or the threat of identity theft, for example, is still prevalent and must be considered as part of any data protection strategy.

In Censornet’s CASB solution, a combination of technologies and multi-layered security is used to identify suspicious or malicious user activity in cloud apps, which could be related to potential data exposure. Additionally, user files can be scanned or analysed when uploaded to the cloud to check for unusual or potentially dangerous content. 

Multi-Factor Authentication

Another potential area for compromised data is the practice of identity theft. Stolen passwords are still a leading cause of data breaches – making stronger-than-password protection a necessity for businesses. One-time passcodes (OTPs) are used widely by businesses as an additional layer of security to password protection. However, some OTPs are vulnerable to interception or phishing attempts – so choosing real-time generated OTPs for enhanced security is advisable.


Cloud Security and the Future

Cloud is fast becoming the number one choice for businesses when it comes to managing and storing data and apps, making the need for a 360 solution for security and compliance in the cloud paramount. Adopting a complete security solution that takes a business from simply reactive measures to an informed and planned proactive strategy can give business leaders the peace of mind they need that they’re adhering to compliance requirements while making the best out of the modern and productive cloud-centric way of working.  

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin for the latest technology news!