Let’s explore cloud security
Cloud security, also known as cloud computing security, is a collection of security measures designed to protect cloud-based infrastructure, applications, and data. These measures ensure authentication of users and devices, access control for data and resources, and protection of data privacy. They also support data regulatory compliance.
Why is cloud security important?
Cloud security is critical, since most organizations are already using cloud computing in one form or another. This high rate of adoption of public cloud services is reflected in Gartner’s recent prediction1 that the worldwide market for public cloud services will grow 17% in 2020, with software as a service (SaaS) remaining the largest market segment. According to Gartner research vice president Sid Nag, “At this point, cloud adoption is mainstream.”
But as companies move more data and applications to the cloud, IT professionals remain concerned about security, governance, and compliance issues when their content is stored in the cloud. They worry that highly sensitive business information and intellectual property may be exposed through accidental leaks or due to increasingly sophisticated cyber threats.
A crucial component of cloud security is focused on protecting data and business content, such as customer orders, secret design documents, and financial records. Preventing leaks and data theft is critical for maintaining your customers’ trust, and for protecting the assets that contribute to your competitive advantage.
Maintaining a strong cloud security posture helps organizations achieve the now widely recognized benefits of cloud computing: lower upfront costs, reduced ongoing operational and administrative costs, ease of scaling, increased reliability and availability, and a whole new way of working.
Let’s dive further into whether the public cloud is a safe place for your business content — and what attributes you should look for when choosing solutions from cloud service providers to protect your content in the cloud.
Is the cloud secure for my content?
As companies depend more on cloud storage and processing, CIOs and CISOs may have reservations about storing their content with a third party, apprehensive that abandoning the perimeter security model might mean giving up their only way of controlling access. This fear turns out to be unfounded.
Over the last decade, cloud service providers (CSPs) have matured in their security expertise and toolsets — and as a standard part of their service, they ensure boundaries between tenants are protected (so for example, one customer cannot view data from another customer). They also implement procedures and technology that prevent their own employees from viewing customer data (typically both encryption and company policy prevent workers from looking at data).
CSPs are acutely aware of the impact a single incident may have on the finances and brand reputation of their customers, and they go to great lengths to secure data and applications. These providers hire experts, invest in technology, and consult with customers to help them understand cloud security.
Customers have caught on, and have warmed to the notion that their data is probably safer in the cloud than within the company’s perimeter. According to a study by Oracle and KPMG,2 72% of participating organizations now view the cloud as much more or somewhat more secure than what they can deliver on-premises themselves. In fact, the cloud offers opportunities for centralized platforms, architectures that reduce the surface area of vulnerability, and allows for security controls to be embedded in a consistent manner, over multiple layers.
Data breaches do still occur. But upon closer inspection of the cases that have gone down in recent years, most of the breaches are the result of either a misunderstanding about the role the customers play in protecting their own data, or of customer misconfiguration of the security tools provided as part of the cloud service. This fact is evident in the most recent annual Verizon Data Breach Investigations Report,3 a report that describes the causes of 2,013 confirmed data breaches and makes virtually no mention of cloud service provider failure. Most of the breaches detailed in the Verizon report resulted from the use of stolen credentials.
To help avoid misunderstandings about the responsibilities between customers and providers when it comes to cloud security, industry analysts and cloud service providers have recently developed the Shared Responsibility Security Model (SRSM), a model that helps clarify where responsibilities lie for security.
As Gartner points out in a recent report,4 “The service provider maintains the operating environment and application; however, what is actually done within that environment — especially involving identity and access management (IAM) and data security — is under the control of the customer.”
So in summary, the answer is yes — the cloud can be secure for your content, if you choose the right vendors to work with and configure your technology stack in a secure way.
6 things to look for when choosing a CSP
When it comes to CSP solutions that manage your content in the cloud, you need good vendors you can trust, who prioritize security and compliance. Here are six things to look for in a cloud solution:
1. Controls that prevent data leakage. Look for providers that have built-in controls that help prevent issues such as unauthorized access, accidental data leakage, and data theft. They should allow you to apply more precise security controls to your most sensitive and valuable data, such as through native security classifications.
Remember to ask: Are permission settings granular enough, reliable enough, and intuitive enough for internal users to share content with external partners?
2. Strong authentication. Look for strong authentication measures to ensure proper access through strong password controls and multi-factor authentication (MFA). Multi-factor authentication should be supported for both internal and external users, and single sign-on (SSO) should be supported so users can just log in once and have access to the tools they need.
Remember to ask: Does the system integrate with your favorite identity and access management solution in a way that enables automated provisioning and de-provisioning of users?
3. Data encryption. Make sure it’s possible to have all data encrypted both at rest and in transit. Data is encrypted at rest using a symmetric key as it is written to storage. Data is encrypted in transit across wireless or wired networks by having it transported over a secure channel, using TLS.
Remember to ask: Is it possible for customers to manage their own encryption keys, without diminishing user experience?
4. Visibility and threat detection. Do administrators have one unified view of all user activity, and of all internally and externally shared content? Does the provider use machine learning to determine unwanted behavior, identify threats, and alert your teams? These algorithms analyze usage to learn patterns of typical use, and then look for cases that fall outside those norms. Data behavior analysis might, for example, notice that somebody from your sales team tried to download confidential product designs in a suspicious manner.
Remember to ask: Is activity logged continuously — and are alerts generated when suspicious activity is detected, using mechanisms that minimize false positive?
5. Continuous compliance. Look for content lifecycle management capabilities, such as document retention and disposition, eDiscovery, and legal holds. Find out if the provider’s service is independently audited and certified to meet the toughest global standards. Do their services help you comply with regional or industry regulations, such as GDPR, CCPA, FINRA, HIPAA, PCI, GxP, and FedRAMP?
Remember to ask: How does the platform enable customers to keep up with ever-changing regulations?
6. Integrated security. Finally, check to see if the provider’s tools easily integrate with your security stack through RESTful APIs. The provider’s tools should promote seamless internal and external collaboration and workflow, and they should integrate with all your applications, so that security controls can extend to whatever application the user may be using to access your content.
Remember to ask: Are there APIs to ensure content protection in third-party apps, including custom-built apps?
The importance of balancing security and user experience
One principle of security systems to keep in mind: the measures shouldn’t be so rigid that users have to find workarounds to do their jobs. When security controls make a cloud computing solution difficult to use, users figure out ways of working around the controls, thereby rendering the system insecure. As experts point out, users are often the weakest link in any security system.
Because user experience is so critical, it’s important to partner with vendors who design security with the end user in mind, taking into account the human factor and using guardrails to ensure proper behavior rather than handcuffs to block actions. In the end, the goal is to ensure the desired level of security without slowing down the business.
Frictionless security is achieved when security is built in and natively integrated with the service. The trend is towards cloud-native security controls that secure the flow of content versus simply applying traditional, perimeter-based controls (that were designed for on-premises) to the cloud.
How Box helps with frictionless security and compliance
“Box empowers our clients to collaborate with their Financial Advisers seamlessly while adhering to the highest standards of data privacy, protection and security,” says Sal Cucchiara, Chief Information Officer for Wealth Management, Morgan Stanley. “Protecting our clients’ assets and personal information is our top concern, and this is our latest investment in safety and security at scale.”
Such a powerful endorsement from one of the largest (and most security-conscious) firms comes as no surprise when you consider the frictionless security and compliance built into Box’s offering.
For over a decade, Box has powered a safer way to work from anywhere, with anyone, and from any application. Box provides a single platform for secure file access, sharing, and collaboration both with internal teams and with partners, vendors, and customers. By centralizing your content in the cloud, you can reduce the surface area of risk while securing access with enterprise-grade security controls.
IT teams can secure access to content with granular permissions, SSO support for all major providers, native password controls, and two-factor authentication for internal and external users. Companies can rely on enterprise-grade infrastructure that’s scalable and resilient — data centers are FIPS 140-2 certified, and every file is encrypted using AES 256-bit encryption in diverse locations. Customers also have the option to manage their own encryption keys for complete control.
In addition, Box provides simplified governance and compliance, with in-region storage as well as easy-to-configure policies that retain, dispose of, and preserve content. This helps you avoid fines and meet the most demanding global compliance and privacy requirements.
Finally, Box offers native data leakage prevention and threat detection through Box Shield, enabling you to place precise controls closer to your sensitive data. This prevents leaks in real time while maintaining a simple, frictionless experience for end users. Shield also empowers your security team with intelligent detection, providing rich alerts on suspicious behavior and malicious content so your team can act swiftly if needed.
1 Gartner Forecasts Worldwide Public Cloud Revenue to Grow 17% in 2020, November 13, 2019
3 2019 Data Breach Investigations Report, Verizon
4 Clouds Are Secure: Are You Using Them Securely?, Refreshed: 7 October 2019, Published: 31 January 2018, Gartner Inc.