To ensure a completely bulletproof data service, there are certain components you must own and control. At all times, you need to ensure that you’re in the driver’s seat, and that you didn’t hand over your car keys, along with your corporate data security and privacy, to someone else.
As your company’s security expert, you are the one chosen to protect your organisation’s data so you should invest in a system that allows you to apply your corporate policies, integrate your corporate security countermeasure systems while gaining continuous insight to your corporate user usage patterns.
You must own your corporate user identities, your metadata and your encryption keys. In addition, you must control your corporate data residency, network countermeasures and internal and external sharing policies. This must be achieved against a backdrop of heightened regulation and increased threats for enterprises that want to adopt cloud computing.
On the regulatory front, the US Patriot Act stipulates that the US government may collect data from US-based cloud companies regardless of the data’s physical location. As part of the PRISM programme, the NSA secretly collects internet communications from major US internet companies, including Google and Microsoft.
High profile hacks demonstrate the intensification of malicious attacks by rogue parties and it has become fundamental for any organisation using cloud services that they can demonstrate they – and their cloud providers – are compliant to the highest security standards.
Such standards include state-of-the art physical protection of hosting facilities, electronic surveillance and ISO 27001 certifications, to name a few, but while such efforts may sound impressive, in reality they offer absolutely no defence to enterprises seeking a security model that cannot be owned. In addition, they provide no protection against government data requests, blind subpoenas and clandestine spying.
Many SaaS companies will tell you that it matters less where the data is physically located, and more where the encryption keys are managed. One way around data privacy and residency regulations is encrypting everything before sending it to the cloud, and keeping the encryption keys on-premises, while allowing the encrypted data to be stored at public cloud providers. This is sound advice.
Attempting to implement this idea, many public cloud file services have announced their support for enterprise key management (EKM) to push security-conscious, cloud-averse organisations to adopt the cloud by placing the encryption keys in the customer’s hands.
While at first this may seem like a good approach to data security, it’s neither sufficient nor comprehensive, because, whether cloud-based or on-premise, EKM only provides a solution for preventing data arriving at unwanted hands after the event.
Your enterprise data service needs to provide you with controls that will enable you to take proactive measures and adhere to secure file transfer standards to prevent sensitive corporate data loss or leakage.
You need to trust that your service provider:
- Wasn’t instructed by the government to install an auditing device, responsible for tapping and recording all of your data, metadata, encryption keys and user identities.
- Won’t impersonate your user accounts to access their data.
- Won’t generate links or collaboration shares to data on behalf of your users.
- Doesn’t cache the keys that are used to encrypt your files.
In this age of cyber threats and exponential data growth, organisations cannot afford to take the optimistic approach or put on blindfolds and pray that their company’s sensitive information doesn’t get compromised. Breaches are the new normal.