Cloud and data leakage: how to protect your company?

The cloud is on everyone's lips and already used mainly by companies around the world. While this solution is on the rise, it nevertheless brings, like any other tool, its share of risks. Which ones? How to protect yourself against it? Answers with the analysis our marketing team.

Cloud security: a major challenge

In their 2018 study, Cost of a Data Breach Report, Ponemon Institute and IBM announced that organizations implementing a major data migration to a cloud when a data leak occurs see their losses increase by an average of $12, bringing the cost of each lost data to $160.

This figure, excluding cloud migration, reaches 148 dollars for all countries combined. When we know that since January 2019, each data leak has resulted in a loss of approximately 19 million data*, there is cause for shudder.

Yet, 75% of companies store at least 20% of their sensitive data in a cloud that they consider “insufficiently secure”[2]. A paradox that can be explained by the increasingly essential nature of these dematerialized servers: a source of simplicity and cost reduction. For example, it is estimated that 83% of corporate data will be stored in clouds by 2020**.

Data protection in a cloud environment

There are different cloud models that involve different levels of responsibility for protecting the data that will be hosted on the service.

SaaS solutions

In the case of SaaS (Software as a Service) solutions, security is partly managed by the public cloud player. However, to further protect the data stored there, it is still possible to use two data leakage prevention tools.

First, Data Leakage Prevention (DLP). These software programs make it possible to mark files and provide them with a level of confidentiality. The more sensitive a data is, the more restricted its access will be, according to a scale determined by each client. Certainly effective, this technology reaches certain limits, especially in terms of user experience, because it hinders its natural use and therefore its commitment to the tool. It is also quite difficult to deploy because each company provides its own data classification method: to date, there is no common standard.

Cloud Access Security Brokers (CASB) are also growing. These tools can analyze data flow and scan documents in a cloud. They can only intervene once the data has been transferred to the cloud server, which means that only a posteriori response is possible in the event of poor security sharing, for example. CASBs allow the detection of suspicious files on clouds.

The Iaas and PaaS solutions

For solutions such as IaaS (Infrastructure as a Service) or PaaS (Platform as a Service), the responsibility for data and application security rests primarily with the customer. To prevent data leaks, web application firewalls (WAF) can become complementary tools to solutions already available in the cloud. WAFs are used to counter attacks that seek to take advantage of application vulnerabilities.

Cloud Workload Protection (CWP) tools provide the ability to verify incorrect configurations of the cloud infrastructure, especially data storage spaces, while allowing an overview of the actions taken by each administrator. Public servers are certainly secure, but they are not infallible. For example, four years ago, UpGuard discovered that some of the storage compartments offered by Amazon S3, one of the best-selling cloud solutions on the market, were publicly available***. On its website, UpGuard published last April: “Cybersecurity researchers, including those at UpGuard, are constantly discovering publicly open, unprotected S3 compartments containing sensitive data. (…) We’ve been uncovering S3 breaches for over four years, and the problem doesn’t seem to be going away. The article continues as follows: Our opinion is that the security problem with S3 is one of product design.Yes, AWS ensures that S3 servers are private by default. Yet we continue to see thousands of open buckets, and regular breaches. Our view is that AWS has made it far too easy for S3 users to misconfigure buckets to make them totally publicly accessible over the Internet”.

While the idea here is not to point out Amazon’s weaknesses (all cloud operators can be affected), this example is making us think about what to do with data that is too critical to be placed to a public cloud. As a result, companies are increasingly turning to hybrid storage with public and private cloud in addition to traditional storage devices. These are therefore all different procedures and technologies to be implemented and managed daily. It is also important to make sure that the cloud is really adapted to employees’ needs. This will reduce the risks associated with misuse and increase employee compliance with the safety measures to be known and applied daily.

Make an inventory of your data

To successfully negotiate your migration to a cloud, it is best to start with a data inventory. Going to the cloud does not mean switching all your information into it. The most critical and sensitive must be processed in a more traditional way and stored within the company on a secure server.

For each company, the data to be protected first differs. If financial information or strategic plans remain logical first choices, it is advisable to be careful with false friends. This data, which seems uncritical, is in fact coveted, such as invoices, for example. These, well copied, can be used to perpetrate “Fake President” frauds. According to the Central Office for the Repression of Great Financial Crime (OCRGDF), this type of fraud cost American companies $2.3 billion in 2016****.

Daka leak: how to react?

Since 25 May 2018, the effective date of the General Data Protection Regulation (GDPR), European companies (or foreign companies using European data) have been required to report any leakage of personal data within 72 hours of the incident, whether accidental or resulting from a cyber-attack.

Within this declaration, the following information must be provided:

  • the nature of the incident,
  • the category and number of people affected,
  • the number of records involved,
  • the likely consequences of the escape,
  • the measures taken to avoid it[5].

As data leaks are not inevitable, they must also make it possible to carry out an inventory of the security breaches that allowed the theft or accidental leak and therefore the implementation of actions to protect against them in the future. This can be an opportunity to realize that the current processes are not the right ones, and start over on a good foundation.

Finding your attacker

To date, it remains very complex to find an attacker. Specialized services, provided by cybersecurity providers, document the leak and trace the virtual paths taken by hackers. Valuable information to better protect your company in the future.