Cloud applications are truly a game changer for companies in a wide range of industries. They allow organizations to enhance collaboration, agility, and scalability, all while reducing costs.
Most companies have already embraced cloud computing. But others are still wary. Why? For all the benefits it brings, the cloud is one of the top challenges security teams face.
That’s why cloud app security assessments are crucial to protect your organization. Learn how to reduce risk and safeguard your data while still benefiting from the cloud.
Do You Know the Risks?
Usage of cloud-based productivity apps has exploded in recent years. In the process, many companies have lost control over their sensitive data. Businesses today often end up storing critical corporate data in unsanctioned cloud apps running outside of an owner’s regulated jurisdiction.
While employees use these apps to be more effective at their jobs, they’re often unaware of the risks involved. Shadow IT – the unsanctioned use of IT resources outside the normal control of the IT department – has enabled corporate divisions to more quickly implement their own in-house solutions without properly considering the risks, which include:
- Data breaches: A data breach is three times more likely to occur for businesses that use the cloud than for those that do not.
- System vulnerabilities: While major cloud providers like Dropbox, Microsoft, and Google have standardized security procedures, it’s still up to the client to properly apply cloud security controls in order to fully protect their data.
- Account hijacking: Unless Two Factor Authentication (2FA) is used, attackers can capture user credentials (using Phishing emails, for example) and use employees’ login information to remotely access and exfiltrate sensitive corporate data.
- Data loss: Without a robust recovery plan, losing data can be devastating to businesses. Data in the cloud can be lost through malicious attacks, accidental deletion, or poorly thought out and untested backup and replication processes.
Who Should Conduct the Security Assessment?
To combat security risks, it’s important to thoroughly investigate the data protection controls provided when selecting a new cloud-based application.
Your organization’s procurement department should manage the security assessment process, since the procurement department normally controls contract negotiations for and the purchasing of major products and services.
Procurement can get subject matter experts from other areas of your organization to help assess the proposed solution. Ideally, areas such as legal, enterprise security, risk management, HR, and IT will all have a chance to assess the proposed solution and ensure that the organization’s best interests are protected.
The Assessment Process
Develop a cybersecurity assessment questionnaire and send it to potential third-party providers to assess the security and privacy considerations for their proposed cloud solution.
Send out the questionnaire to the potential solution providers as early in the assessment process as possible. This ensures they have adequate time to provide their answers and clarifications during the assessment – there may be a long list of questions they have to answer.
Infrastructure and platform as a service (IaaS and PaaS) vendors such as AWS and Azure can normally be considered as “best of breed”—they don’t require security assessments for their portion of the proposed solution. However, the security of the application being run on the service should still be assessed in detail.
The Role of Cloud Access Security Brokers (CASB)
A CASB is a cloud-based software tool that sits between your organization’s on-premise infrastructure and a cloud provider’s infrastructure. Acting as a gatekeeper, it monitors user activity and enforces security policies.
Using a CASB helps companies control the use of unsanctioned cloud apps and reduces risk. CASBs provide visibility into how data is being used within cloud apps, help organizations maintain compliance with regulations, and help remediate threats in real time.
To ensure optimal security, over half of large enterprises will be using a CASB by 2020, according to Gartner.
Qualified Security Professionals Can Help
The reality is many businesses are ill equipped to perform thorough security assessments of the cloud apps they’re considering.
To reduce business risks, get a thorough review and assessment by a qualified security professional. Ideally, a consulting partner who has experience in the assessment of cloud solutions can give advice on cloud security areas where your team members may not have the skill set or experience.
The consulting partner can also make suggestions for improvements and contractual requirements such as service level agreement (SLA) values to ensure the solution is robust and meets all the requirements in the functional and nonfunctional specifications for the project.