Controlling access is number one priority for protecting data in the cloud
Controlling access is number one priority for protecting data in the cloud
South African businesses, like many worldwide, are increasingly shifting applications, services and infrastructure to the cloud where they are more accessible and available, thereby enabling productivity and business continuity for employees. However, according to Securicom – a leading South African managed IT security company – companies are discovering that the cloud presents unique security challenges, amongst which unauthorised access and misuse of employee credentials rank highly.
"Cloud apps and services to empower employee productivity and business continuity are becoming mainstream, but we are definitely noticing a lack of competency and preparedness amongst local businesses in dealing with the associated IT security challenges. The conventional methods of securing IT infrastructure do not adequately address the threats associated with the cloud," says Securicom's Richard Broeke.
Similar to findings in the just released Cloud Security Spotlight Report by Crowd Research Partners, Securicom's experience in the local market also demonstrates that poor management and control of access to cloud based infrastructure, apps and data in the cloud are a major threat to companies' IT security.
"Poor access control and misuse of employee credentials means that data is being exposed to people who aren't authorised to see it. While exposure of salary and income information to unauthorised eyes is never appropriate, things become far more sinister when confidential information such as banking details or sensitive business intelligence is exposed outside the company or is accessed by employees who have malicious intentions.
"Insider threats to IT security are well documented and for the most part, companies have tried to implement controls to on-premise infrastructure to curtail the problem. But, these controls are not effective for the cloud. Comprehensive and more effective management and control solutions that are specific to the cloud are needed to protect data in the cloud," explains Broeke.
Nowadays, companies across most industries operate in a highly regulated environment and are required to control and protect their information. In compliance with their industry or governmental regulations, they should therefore know where their data is, who is able to access it, and how it is being protected.
When access to cloud resources is uncontrolled, with the potential of exposing the information they are required to protect, companies are in violation of regulatory requirements which can have serious repercussions. For instance, when employees move restricted data into the cloud without authorisation, business contracts may be violated and legal action could result.
In addition to the information and apps that companies themselves make available in the cloud for their users, employees are also bringing their own preferred apps into the equation. Employees choose apps based on their ability to assist them in working more efficiently but they aren't aware of the risks of storing corporate data in unsecured apps. With the plethora of apps available, Broeke says a lot of companies do not even know which apps are at play in their enterprises.
"It makes the challenge of protecting information in the cloud more complex because now, in addition to unauthorised people accessing cloud resources which are meant for authenticated personnel only, you also have all levels of users uploading sensitive information to a host of cloud based apps that you aren't even aware of," he says.
"The approach to protecting company information floating in the cloud must therefore encompass controlling access to the company's cloud-based resources as well as managing the number and nature of cloud based apps that employees introduce to the environment. This must be coupled with setting and enforcing sound security policies across cloud environments," concludes Broeke.