As many CISOs will tell you, IT security today is all about protecting data, not data centers. This data-centric view is largely a product of data moving to the cloud and mobile and it’s so relevant today that Gartner focuses on this in their latest research on protecting data in the cloud. In their latest report, Gartner identified 4 pillars companies must address to protect their information: visibility, compliance, threat detection, and data security. With the average company uploading more data to the cloud every day, and 21% of files uploaded to file sharing services containing sensitive data, the stakes for securing data couldn’t be higher.

With regards to data security, Gartner says that data is mission-critical to the enterprise and that securing that data is the primary goal of any IT Security organization. Therefore, if the enterprise is moving its data into cloud services, IT Security must:

  • Ensure that sensitive data is encrypted using known good algorithms or tokenized before entering the cloud service via a configurable data security policy.
  • Ensure that robust authentication procedures are defined and enforced, including central credential store usage, certificates, and multi-factor authentication.
  • Support encryption key management via a hardware security module (HSM).
  • Ensure that only the authorized users and groups have access to enterprise data
  • Prevent data from being lost within cloud services when the owner is de-provisioned.
  • Ensure functionality within cloud services is maintained when data within those services is encrypted or tokenized so that the value of the services can be fully realized.
  • Ensure that data loss prevention and e-discovery are available for cloud services, just as they are for on-premise systems today.

We polled CISOs about the questions and metrics they expect their teams to be able to answer. Many of the questions were related to determining the data that should be encrypted in specific cloud services. But there were also questions about operational activities they expected their team to perform such as tracking breaches of cloud services used by employees and auditing the security controls of cloud providers in use. Key questions asked by CISOs include:

  1. Which cloud services encrypt data at rest and provide multi-factor authentication?
  2. What are the compliance certifications of the services employees are using?
  3. Which of our cloud services undergo regular penetration testing?
  4. Which of our cloud services have been compromised in the last week, month, year?
  5. Which data should be encrypted in which cloud services?
  6. How do we encrypt data while maintaining required functionality within cloud services?
  7. How do we encrypt data while controlling our own encryption keys?
  8. How do we employ tokenization to ensure data privacy in addition to security?
  9. How do we enforce access policies based on user, device, and location?

Some cloud services have security capabilities that far-exceed most corporate data centers. However, with over 12,000 cloud services available today, there is a large variation in the security capabilities offered. The good news is that an increasing number of cloud services are investing in security, but a larger number still do not offer even basic security features. Only 17% of cloud services provide multi-factor authentication, only 5% are ISO 27001 certified and only 11% encrypt data at rest. For this reason, it is important to look at the risk of services individually and enable risk-based policies on acceptable usage.