Whose data is it anyway?

Agero, based in Medford, Mass., is a white-label service for drivers that coordinates activities ranging from roadside assistance to accident management. The B2B’s partners include insurance and auto giants. “Not only do we not want people going in and stealing data, but it would be a difficult discussion to have with a client, as well as all the other clients, to understand how, exactly, there was a client data breach,” says Sullivan, who is also vice president of technology shared services at Agero. “My greatest concern is that we expose a client’s data out there somehow and don’t do the diligence that we need to protect that.”

By crafting a security plan and taking sensible precautions, organizations can greatly reduce the chance that their data will fall into the wrong hands. Being data smart means asking potential cloud providers the right questions but also sharing responsibility for potential breaches. 

For companies, cloud security appears to be top of mind. In Deloitte’s recent U.S. Future of Cloud Strategy Survey Report, 91% of the 500 organizations surveyed said that they have updated their business and operational strategies to address cloud security, risk, and controls. Meanwhile, 83% said that their cloud investments are driving positive outcomes for mitigating business and regulatory risk.

How well do cloud providers safeguard customer data? “Historically, they’ve done a really, really solid job,” says Daniel Schiappa, chief product officer with cybersecurity firm Arctic Wolf Networks, an Amazon Web Services (AWS) partner.

That includes keeping data from different customers separate, adds Schiappa, whose Eden Prairie, Minn.–based company’s clients include Agero. “I’ve been building solutions in AWS for decades now, and never once have I run into an issue where my data, or any data that comes from my solutions, has showed up in somebody else’s environment, and vice versa.”

But companies must remember that data security is a shared responsibility with their cloud provider. “Sometimes you’ll hear it as a shared fate,” says Ryan Orsi, worldwide cloud foundations partner lead for security at AWS.

While the vendor is responsible for host operating systems, virtualization layers, and any devices and buildings where the cloud is located, what’s known as security in the cloud falls to the customer, Orsi explains. “The moment they build an application, the moment they upload a piece of data into the cloud, they are responsible for that.”

Cloud providers give you many of the mechanisms you need for data protection, says Dan Mellen, global cloud and infrastructure cybersecurity lead with Accenture. “But what I find and what I see with most of our clients is that they don’t always understand the capabilities that are available to protect that data,” Mellen observes. At the same time, different business lines might be pushing data without any standardization, he says. “Part of it is a governance problem from a data standpoint and cloud usage standpoint.”

And increasingly, cybercriminals are stealing data the easy way. “One of the biggest threats that we’re seeing in the industry today is hackers are doing less of exploiting complex vulnerabilities and more exploiting the people and the access to cloud services to get access to that data,” says Tyler Healy, vice president of security with DigitalOcean, a New York–headquartered cloud infrastructure provider. Those weaknesses could include not enabling two-factor authentication or making access permissions too broad.

This year’s Uber hack is a prime example. “It really came down to 2FA fatigue,” Healy says. “So someone gets access to account credentials, the two-factor authentication, which is a push notification to your phone.”

As a customer, you must determine your own data security policies, Schiappa says. “The provider will do what the platform should do, but then you also have to do what you think is right for your data.” It all starts with a plan: “Once you come up with that data plan, you can look at the various cloud providers and make sure that they [meet] the needs that you have.”

If you’re using infrastructure as a service (IaaS)—a cloud construct that lets you do things like build your own servers—expect more security legwork than with software as a service (SaaS), Sullivan warns. “It’s a bigger lift for the customer because you have to understand the things that you do: How does that impact the security of the platform?” he says. “So the cloud provider can do a lot of things to make sure that you can be safe in their cloud environment. That doesn’t mean you’re going to be safe in their cloud environment.”

With clients, Agero develops a check sheet that includes details like whether multifactor authentication is enabled and all data is encrypted at rest and in transport, Sullivan says. “As time goes on, as you understand your own risk and what you’re doing within the space, what data’s going back and forth, what your concerns are, you kind of mature this data check sheet.”

From a data security standpoint, what are the hallmarks of a reliable cloud provider? Orsi recommends looking at its native capabilities in four key areas: encryption, key management, identity, and access controls. “Then also look at how are those capabilities extended by their partner ecosystem,” he says. “The partners, these software companies, and these system integrators—they can help the customer adopt a best practice much quicker.”

Sullivan suggests checking a provider’s certifications. “Do they have an ISO certification? Do they have a NIST certification?” he says, referring to the International Organization for Standardization and the National Institute of Standards and Technology. “And not just that they comply to that standard, but that there’s a third-party audit involved.”

It’s also worth weighing their commitment to privacy regimes such as the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR), Healy says. “Companies that go above and beyond demonstrate that through communications about how they treat customer data, putting customer privacy in the forefront.”

What are some red flags?

For the customer, it’s a simple question, Orsi maintains. “If they don’t feel they’re 100% certain of where all of their data resides and whether or not there’s personally identifiable information in those locations…that’s a red flag,” he says. “There’s a lot of different reasons and scenarios where personally identifiable information can get into the wrong data location and risk their compliance status within the regulations out there.”

Along the same lines, you should know where a cloud provider stands on data sovereignty, Schiappa says. “If you’re a multinational and you’re working across the globe, and you’re going to do business in certain regions, do they have data sovereignty issues?” he asks. “And does your cloud provider have an instance in that region so you can actually keep the data local?”

Anyone concerned about how a vendor might share data can pull up its data processing agreement, Healy notes. “A company should be communicating to its customers who their downstream providers are,” he says. “If they’re lacking in that space, I would say that’s maybe something that you wouldn’t trust your data with.”

Besides keeping tabs on who might share and monetize their customer information, Healy advises companies to collect as little data as possible themselves. “I think that should always be the default baseline.”

Data hygiene, whose standards vary, is another potential sticking point. For example, the AWS management console now flags storage buckets that are publicly accessible or unencrypted, regardless of the data type, Mellen explains. “Those capabilities are examples of positive steps by the hyperscalers,” he says. “If you’re shopping for a provider and you don’t see those kinds of capabilities, that provider may not have the same focus on data security.”

Mellen favors having an in-house team to handle data security. “It is unique enough, big enough, and important enough,” he says. “I’ve even seen large global organizations have data security teams that are localized.”

For companies lacking the in-house expertise, Schiappa recommends getting outside help to develop a data security plan before choosing a vendor. “That’s going to drive a lot of the requirements that you’re going to launch in picking that right platform provider and then how you roll those things out,” he says. “You don’t want to start figuring that out after the fact.”

Looking ahead, Orsi sees cyber-resilience playing a key role. “When a potential security event occurs that disrupts access to the data or the application itself, that’s when there’s a test on how resilient the architecture was designed and the application was designed,” he says, citing a ransomware attack. “Whether it’s in the cloud or on-premises or, really, anywhere, that’s an area where I think companies should look at investment.”

Sullivan flags cloud security posture management (CSPM) as an emerging service. “These are advanced plays where the solutions—and some of them are multiple clouds, so they could do this on any player that’s out there—they’ll go out and interrogate all of your configurations, hunting for vulnerabilities,” he says. “And hunting to make sure that it meets your baseline, too.” Besides identifying security weaknesses, CSPM tools are learning to fix them.

Another technology that’s gaining traction is customers storing data in a cloud provider with an encryption key that they hold, Schiappa says. “The platform has to be able to read that data, so they’ll have a temporary key that they’ll use for that transaction, and that key will be shredded.” For anyone who gains access to your data under that encryption method, it’s like breaking into a jewelry store and being unable to steal anything, Schiappa says.

“The last part of this transition to the cloud that hasn’t transitioned over from traditional IT security is encryption,” he adds. “That’s going to become a more critical element.”

Consumers’ ability to manage their own data in the cloud will keep getting stronger, Healy predicts. “If you’re signed up with a reputable cloud provider, or, really, any software provider that’s using cloud services, you should be able to say, ‘Please forget me entirely; please forget all the data that I’ve stored on your cloud,’ and it should wiped entirely.”

People should also have the power to track where their data is stored, argues Healy, who doesn’t know how soon such practices might become standard. “But I think that the more trusted cloud service providers should be able to provide this as, essentially, peace of mind and a good privacy stance for their customers as a differentiator.”