Cloud Data Security: Guard the Door or Prepare for the Worst?

In the Cloud Security Alliance’s latest Cloud Adoption Practices & Priorities Survey Report (CAPP), we continue to see security threats as the top reason that IT administrators and CIOs are still nervous about going all in on the cloud. Almost three-quarters of those surveyed said that concerns about cloud data security were holding back their cloud projects. This is understandable; with last year’s high-profile security breaches from Target, Home Depot and Sony, no one wants to be the next company on that auspicious list.

However, IT admins and CIOs seem to be all alone in their cloud reticence; according to the CAPP report, “IT departments at 79 percent of companies receive requests from the end users each month to buy more cloud applications.” The report also states that 86% of companies across the globe are spending at least part of their budgets on cloud services. There are a thousand other stats from a hundred other reports to back it up, but what it comes down to is that the cloud is, quite simply, an inevitability.

Given that data protection is non-negotiable and given that the cloud is inevitable – whether you are ready or not – the only option for IT professionals and CIOs right now is to figure out how to move to the cloud safely.

There are two fronts on which to fight that battle:

  1. Enabling security measures to “guard the door” from intruders and implement access management strategies.
  2. Preparing for the worst case scenario by having a plan for a quick and effective recovery from any data loss and security breaches in advance.

Most would spend their time on the former; however, the latter is where you should focus first.

Here’s why:

  1. According to the CAPP report, “Although companies are focused on external threats, 17 percent reported a known insider threat incident in the last 12 months.” These kinds of incidents can include an employee downloading and/or deleting sensitive data before they leave the company. The report continues, “Troublingly, 31 percent were not sure if such an incident occurred.” In other words, you could spend all of your time trying to keep out hackers only to be taken down by a disgruntled employee.
  2. No security measures (or combination of them) will ever be 100% foolproof. As long as there are human employees, human error can open the door to security breaches and data loss events. After all, “123456” and “password” are still the most common passwords out there.
  3. EMC’s recent Global Data Protection Index Report found that 64% of enterprises experienced data loss or downtime in the last 12 months. And data loss and downtime costs enterprises a staggering $1.7 trillion. The reason? Without your data, your business can’t operate. Yes, a data breach where information is taken and shared publicly is a PR nightmare, but your employees can still keep working while damage control is underway. However, if data is maliciously deleted, your entire business grinds >
  4. The CAPP report states, “Only 8 percent of companies know the scope of shadow IT at their organizations, and an overwhelming majority (72 percent) of companies surveyed said they did not know the scope of shadow IT but wanted to know.” To put it another way, you can spend as much time as you like guarding the door, but shadow IT is coming in through the window. And with shadow IT comes the risks associated with unmanaged access to sensitive corporate data across multiple devices and locations – the unsecure coffee shop WiFi, the sync errors between device and cloud that can make information inexplicably vanish, more opportunities for human error, more opportunities to leave an unprotected device on the train or bus. You need a plan for dealing with shadow IT, but first, you must assume it is happening. Because it is.

Given the exploding number of ways that data is increasingly vulnerable, it’s more realistic to operate on the assumption that the worst will happen to your business, that you will, in fact, experience data loss. In the next post in the series, we’ll discuss a plan to help you proactively prepare for the worst-case scenario.