Last summer, officials from the Securities and Exchange Commission visited an Amazon data centre in Virginia to take a look at how such facilities are run. Around the same time, the SEC also sent out questionnaires asking various investment firms and advisors about their cloud security practices.
More recently (Jan. 14, to be exact), an SEC official connected the dots between the two at the Financial Industry Regulatory Authority conference, saying liability for data breaches involving public cloud providers ultimately lies with their corporate customers, not the providers themselves.
“Even if you have identified who has responsibility for what controls, you’re still outsourcing your services and your control of the data, and the firm is still going to be responsible,” said senior SEC examiner Salvatore Montemarano per WSJ.
After a string of high-profile data breaches like those at Equifax and Capital One, the SEC has stated that one of its priorities for 2020 is “oversight practices related to certain service providers and network solutions, including those leveraging cloud-based storage.”
As regulatory officials subject cloud providers—and their enterprise customers—to more scrutiny, it’s not a bad time for some tips on what enterprise orgs can do, courtesy of Gartner’s Steve Riley.
1. Look inward for cloud security
The most important tool enterprises have in their arsenal is a mirror, according to Riley, senior director and security analyst at Gartner.
“They spend far too much time assessing the security of their cloud provider rather than examining their own patterns and practices,” Riley said in a recent webinar. “The cloud is secure. That’s not the question to ask. The question to ask is, are we using it securely?”
He said Gartner’s own research shows that “the overwhelming majority of cloud security incidents” happen because of “something the customer has failed to do correctly.”
A 2019 survey by the Cloud Security Alliance seems to back this up: the top causes of network or application outages resulting from a cloud security incident were operational and/or human errors in the management of devices, followed by device configuration mistakes.
Gartner predicts that through 2025, 99 per cent of cloud security failures will be the customer’s fault.
2. Crack down on open file shares
In most IaaS environments, the default setting doesn’t allow your internal files to be shared on the Internet. But did you know that many SaaS applications or platforms allow this type of open file sharing as their default setting?
“Closing open file shares is the easiest and most impactful cloud security step you can take,” Riley said. “Step back and give some strategic thought to how you’re managing file shares in IaaS and SaaS and wrap some appropriate policy around that.”
3. Don’t bet on vetting
Have you ever sent a questionnaire to potential cloud service providers to vet their security practices and policies? Riley’s research suggests it may give you peace of mind but it doesn’t make you any safer.
His research shows that vetting prospective cloud providers has little to no impact on security outcomes for cloud customers, and may give them a false sense of security akin to letting their guard down. What does make a significant impact, according to Riley’s findings, is continuous monitoring of your cloud service after you’ve signed up.
4. Build a SaaS life cycle
Don’t just vet SaaS apps for security before and during implementation. Riley urges enterprises to take a life cycle approach to ensure SaaS security on an ongoing basis. Here’s what he wants them to ask:
- How many SaaS apps are we using?
- When is their end of life?
- What will we do when we no longer use these apps?
- Can we delete them?
- How do we extract and move our data from those SaaS apps and use that data after we stop using those apps?
- What policies do we have for these apps?
- How do we continuously manage them?
5. Automation and I.D. are the future
Riley sees automation as increasingly key to cloud security and describes identity as “the new security perimeter” for the cloud. He predicts a future where “all workloads are completely identity-based.”
In a research report last summer, some of Riley’s fellow Gartner analysts coined the term secure access service edge (SASE) to describe a cloud-based model of IT security where “identities are the new centre for access decisions, not the data centre.”
Stay tuned in the coming weeks for an in-depth look at SASE and how it could affect the network of the future.