Why the Cloud May be the Safest Place to Store Your Sensitive Data
By David Burg, Principal and Global and US Advisory Cybersecurity leader, PwC
The use of cloud computing is officially mainstream across most industries, yet many executives still worry that provider security practices remain inadequate to protect sensitive data and mission-critical workloads. It’s a long-held belief—and one that’s starting to change. In The Global State of Information Security®Survey 2015, we found that 55 percent of organizations worldwide now use some form of cloud computing, up from only 38 percent two years ago. While the benefits of cloud services—lower costs, greater operating efficiencies, and immediate scalability, to name a few—have fueled adoption in recent years, it seems evident that a new driver is at work. Our research shows that 59 percent of organizations that use cloud services report that doing so has improved their information security program.
“More companies—even those operating in highly regulated sectors like financial services and healthcare—are putting mission-critical workloads in the cloud”
That’s certainly worth pointing out because, for many business executives, potential threats to data security and privacy have always been the dark, untrustworthy side of the cloud. Perceptions are shifting, however, as major cloud services vendors have continued to develop and implement increasingly sophisticated security capabilities.
While there has been an uptick in attacks on cloud service providers recently, it’s important to note these incidents did not result in reported breaches of sensitive data. This could suggest that cloud services today have strong security controls and have proactively implemented the technologies, processes, and personnel necessary to quickly detect and mitigate incidents.
Providers are investing in security and certifications
Top-tier cloud providers have been steadily investing in cutting-edge tools for data protection, threat defense, network security, and identity and access management. They are, for instance, beginning to add infrastructure capabilities such as software-defined perimeters to create highly secure platforms that can be adapted in such a way that allows mitigation of most tools, techniques, and procedures (TTPs) used by malicious actors. Should adversaries infiltrate the network, some cloud providers employ principles of DevOps combined with communal learning and rapid-response forensics tools to reduce the time lag between detection and remediation.
Furthermore, cloud providers are increasingly gaining certifications and assessments from third-party guidelines and regulatory bodies, including ISO 27001, Level 1 service provider under the Payment Card Industry Data Security Standard (PCI DSS), SSAE 16 (formerly SAS 70), various Service Organization Control (SOC) audits, DIACAP Level 2 for Department of Defense Systems, and the Federal Information Security Management Act (FISMA). Many also have the capabilities to enable regulated organizations to deploy solutions that meet industry standards like the Health Insurance Portability and Accountability Act (HIPAA).
Is your sensitive data safe in the cloud?
It seems clear that service providers have developed and implemented these advanced security practices and undergone certifications to convince organizations that even their most sensitive data and mission-critical workloads are secure in the cloud environment. It’s a strategy that seems to be working: More companies— even those operating in highly regulated sectors like financial services and healthcare—are putting mission-critical workloads in the cloud.
The fact that more companies are entrusting cloud service providers with critical data and workloads is encouraging progress. What’s worrisome, however, is that many businesses still do not have a security strategy for cloud computing. According to our annual security survey, only 48 percent of organizations have a cloud security strategy. And just 50 percent say they perform security risk assessments on third-party vendors like cloud service providers.
Clearly, a well-designed strategy and disciplined due diligence should be implemented before any data or workload is entrusted to a cloud provider. A sound cloud strategy begins with identification of business goals and alignment of those objectives with the benefits of the cloud. Next, organizations should carefully assess which applications and data are appropriate to move to a cloud environment. The business must know what data are subject to regulations and controls like those included in HIPAA, the Gramm-Leach-Bliley Act, PCI DSS, and the Sarbanes-Oxley Act, to name a few.
Organizations should also rigorously assess cloud service providers for appropriate security controls. A few of the considerations include assurance that the cloud environment is appropriately configured, patched, and monitored . Workloads should be protected by firewalls, intrusion-detection systems, and denial of service solutions. Employee access to customer data should be restricted and continuously monitored, and the provider should have plans to protect against the actions of negligent or rogue employees.
Just because more businesses are putting sensitive data in the cloud doesn’t give every organization the green light to do so. It’s an individual decision that should be very carefully considered and discussed. In some cases, mission-critical workloads and intellectual property may still be safest in the locked-down confines of the enterprise. Similarly, regulated data like payment card information and healthcare records should be sent to the cloud only if the service provider has security controls that match or surpass those required by the organization and its regulators.
Increasingly, however, we believe that top-tier providers are creating ecosystems that are safe for sensitive data. They are building security and agility into the core fabric of the infrastructure which allows for an entirely new class of defenses that are possible only with the game-changing properties of the cloud. While traditional information security concerns are still applicable and addressing them is essential to develop a leading cloud strategy, we would argue that not only can the cloud be secure, it also can be one of the safest places to store your data.