Story image

Owning up to cloud security - who is responsible?

28 Sep 18

The number of Australian businesses using commercial cloud computing services has risen to almost one third in just one year, according to the Australian Bureau of Statistics. Inevitably, this has led to an increase in the volume of customer data stored in the cloud, supporting everything from online services and websites, to sales and infrastructure. Keeping this data secure is vital for both the smooth running of businesses and protection of customers.

Many organisations are still struggling to secure their clouds – earlier this year, Australian cloud-based recruitment and HR software provider PageUp exposed two million passwords following a malware infection. This is just one of many examples of a business that migrated without the proper understanding of how to protect their data. Complicating the issue even further is that businesses often operate across more than one cloud, such as AWS and Azure, each having differing security protocols to grapple with.

There are mixed views on who is responsible for protecting customers’ sensitive or confidential data in the cloud. A third (34 per cent) of respondents believe that it’s the customer’s responsibility to secure their data in the cloud, while two-thirds (62 per cent) of customers hold businesses responsible. With less than half (46 per cent) of businesses clearly defining roles and accountability for securing confidential or sensitive information in the cloud, it’s clear many are struggling to take responsibility within the organisation.

Taking responsibility for cloud security 

The arrival of GDPR and NDB this year has forced the ownership of cloud security firmly into the hands of businesses. Under the regulation, if any unsecured customer data is compromised, stolen or misplaced – whether it’s stored internally in a data centre or the cloud – the business holding it will be held accountable. Additionally, over two-thirds of Australian consumers (72 per cent) would leave a business after a breach. So, what can organisations do to secure their cloud and avoid potential breaches?

Five steps to cloud security

Locate where the data is
Before implementing any cybersecurity strategy, businesses must first conduct a data audit. This helps them understand what data they have collected or produced, and where the most sensitive and valuable data is located. If businesses don’t know what data they possess and produce, they can’t even begin to start protecting it. 

Encrypt all sensitive data

While it’s crucial that businesses restrict who can access sensitive data, it’s encryption that ensures this cannot be used in the event it’s accessed by unauthorised personnel. Businesses must understand where their most valuable data is stored before this step can occur. Regardless of where data is – on their own servers, in a public cloud, or a hybrid environment – encryption must always be used to protect it. 

Securely store keys

When data is encrypted, an encryption key is created. These keys are necessary to unlock and access encrypted data. Consequently, businesses must ensure that these keys are securely stored away from the cloud. By storing a physical key offsite, it helps ensure it can’t be linked to any encrypted data in the cloud. Encryption is only as good as the key management strategy employed, and companies must keep them in secure locations – such as on external hardware away from the data itself – to prevent them being stolen. 

Introduce two-factor authentication 

Next, businesses should adopt strong two-factor authentication, to ensure only authorised employees have access to the data they need to use. Two-factor authentication involves an individual protecting their account with something they possess – like a message on their smartphone – and something they know, like a password. This is more secure than relying on passwords alone, which can be easily hacked.

Always update

Hardware and software are constantly being patched by their vendors, as bugs and vulnerabilities emerge, to prevent hackers from exploiting them. Many businesses don’t install patches quickly enough or use software which no longer receives regular patches. It is imperative that businesses install patches as they become available, to avoid becoming easy targets for hackers. 

Evaluate and repeat

Once a business has implemented the above steps, it’s crucial that each step must be repeated for all new data that enters its system. Cybersecurity and compliance is an ongoing process, rather than a case of ticking the box. These steps will ultimately help make businesses unattractive or unviable targets for attackers as even in the event of a breach they won’t be able to use, steal or hold their data for ransom. 

The arrival of new data protection laws introduced in Australia this year has meant that businesses are now paying a cost, reputationally and financially, for any data breach. It’s never been more important for businesses to take full ownership of the data they hold, particularly as consumers have more rights over their data than ever before. Organisations must provide a cybersecurity strategy from the board down, and educate staff about the cyber risks they face as a part of a business so consumers can trust that their data is stored correctly and secured effectively.

Article by Gemalto regional director Australia & New Zealand, Graeme Pyper.

Cofense launches MSSP program to provide phishing defence for SMBs
SMBs are highly susceptible to phishing attacks, and often lack the resources necessary to stop advanced threats
Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.