The cloud is becoming too complicated to monitor effectively
A recent survey of companies in Europe and the UK reveals that data privacy and regulatory compliance are by far the largest concerns of information security professionals. With the EU’s General Data Protection Regulation (GDPR) taking effect next year, heralding a 79X increase in fines, it’s no wonder that these priorities are top of mind.
What’s disheartening, however, is that 42% of information security professionals also admit that they lack both the tools and talent to keep their customers’ privacy intact. The ties between on-premise data centers, public cloud resources, and vendors or partners have become so numerous that companies are no longer confident that they can track and secure sensitive data as it moves around.
How does data migrate from security to insecurity?
Here’s a common scenario in which there’s a potential for sensitive files to end up in a risky location. In theory, your sensitive data storage should adhere to the following requirements
- It should be located on a secure, centralized server (or endpoint, as long as the information is part of a backup and tracked by a secure DLP solution).
- The data should be encrypted, with access limited to authorized personnel only.
- Whenever that data is decrypted for use or modification, there should be an auditable record stating who decrypted which files, and for how long.
In practice, this degree of security is not always feasible. On the one hand, latency issues might reasonably prevent companies from storing critical data in a centralized location. On the other hand, people like shortcuts.
Whether it’s due to practicality or human error, there are a number of factors that might cause your employees to place sensitive files in cloud storage. It may be much easier to access those files there — but it’s a terrible risk for customers. A Boston-area hospital, St. Elizabeth’s Medical Center, was recently assessed a $218,000 fine for that exact situation, in which un-encrypted PHI was stored on the cloud without a single risk assessment.
Is it possible to safely store data sensitive data in the cloud?
Keep in mind that that the primary failing for St. Elizabeth’s was that the organization didn’t conduct a risk assessment — it’s entirely possible to store PHI or PII on the cloud safely. In fact, there are some competitive advantages to doing so. For instance, say that a company in California opens a branch in NYC. The branch office needs access to PII, but accessing the massive database remotely entails a great deal of latency, which cuts into productivity.
In this scenario, it would be perfectly acceptable for the company to host an instance of that database with a cloud service provider that runs a data center on the East Coast. As long as certain precautions are noted and observed, there’s a reduced liability with regard to HIPAA or PCI-DSS. For HIPAA, these precautions include:
- Always encrypt PHI in the cloud
- Always send PHI over encrypted connections such as SSL
- Always understand where your PHI resides — which cloud, which VM, and if possible which which bare-metal server
Storing other kinds of sensitive information, such as PII that’s protected under PCI-DSS, entails slightly different requirements (They’re listed in greater detail here). Under this compliance regime, the customer and the cloud service provider must undertake a carefully negotiated relationship.
For example, let’s say that a cloud provider controls the firewall around a customer’s application. It’s the cloud provider’s responsibility to keep maintaining the firewall. It’s the customer’s responsibility, however, to ensure that the firewall is configured in accordance with a particular compliance regime.
In a different example, let’s say that a customer is working with an MSP. The MSP administrates the customer’s IT, and provides cloud storage. The cloud storage, however, is provided via yet another third party. In this case, it’s the customer’s responsibility to track down this third-party relationship and understand how they handle security in turn — but this brings us back to our initial problem:
With increasingly complicated cloud architecture, it’s becoming more and more difficult to understand where in the cloud your data actually is, and how it’s administrated. Companies need a solution which lets them track and control their data in real time.
Protect your data with Actifile
Actifile helps IT administrators simplify the process of locating sensitive data in a complex environment. Instead of relying on manual record-keeping, Actifile appends code to each piece of PII, PHI, or other sensitive data you need to be aware of. IT Administrators can take instant action by:
- Automatically discovering where sensitive data lives on your network, and getting a notification when it’s out of place or potentially harmful to your organization.
- Detecting actions such as attempting to move, print, or delete customer information, intercepting any attempt to steal or corrupt your mission-critical information.
- Both malicious actions and human error can be prevented with active protection that can block individuals from sharing, sending, or downloading sensitive data.
As long as your data is on a cloud, server, or endpoint with an Actifile node, you’ll be able to know where your data is at a touch of a button. If someone tries to move your data somewhere where there’s no Actifile monitoring — such as a USB drive or an un-monitored private cloud — you’ll know right away. Prevent your data from ever being lost, leaked, or stolen — contact us today