Increasingly sensitive information in the cloud – how to best protect it

Organisations around the world continue to store more and more of their information in the cloud. This is essentially a good thing, as the cloud is almost always more secure than a local office or a company's own data centre. Unfortunately, security does not always keep pace with the influx of data into the cloud. For example, not everyone encrypts data ‘at rest’, has full visibility into what data is actually in the company's cloud applications, or uses Data Loss Prevention (DLP) features to protect against various types of data loss. Many companies also allow access to company-approved cloud services from personal devices, which can lead to sensitive information being downloaded from the cloud to an uncontrolled personal device.

For anyone who handles sensitive information – not least personal data and customer data – it is extremely important that everything is set up correctly, that you have the right security procedures in place (which are also followed) and full transparency regarding where and how data is stored and protected.

Your cloud services may violate GDPR regulations

The regulations governing the handling of personal data have been in place for several years, and until now, the major American cloud service providers have relied on the Privacy Shield agreement. However, since the European Court of Justice invalidated Privacy Shield, it is no longer permissible to refer solely to this agreement to demonstrate EU compatibility. Instead, it is now up to each individual business to assess whether sufficient protection is in place to ensure compliance with the requirements of the GDPR.

Data encryption can provide such protection for the organisation, but it is important to bear in mind that the burden of proof lies with the individual business in this case. It is therefore the individual business that must be able to guarantee that no external organisation (such as the American NSA) has cracked the current encryption levels. This is a guarantee that is extremely difficult, if not impossible, for individual organisations to provide.

All in all, we have a situation where there is an increased risk of sensitive data falling into the wrong hands – something that could ultimately also have a financial impact on the companies that handle the data.

Below are some important things that everyone who handles personal data (such as customer data) must ensure and consider.

5 tips on how to protect sensitive data

Gaining insight into the cloud and protecting sensitive data is not as difficult as it may seem. But of course, it's about knowing where to start and what to focus on. And it's about technical solutions, policies and procedures, as well as raising awareness among all employees.

1. Select a cloud service that guarantees regulatory compliance.

Make sure you are familiar with the data protection laws that apply in the country where your data will be stored, such as GDPR within the EU, and whether there are other laws that may override national laws, such as the US CLOUD Act. Don't forget that it is the cloud provider's country of residence that determines which regulations apply to data and applications, not the geographical location of the data centre.

2. Encryption is a must.

When moving to the cloud, or switching clouds, you need to ensure that your platform and cloud solutions offer the ability to encrypt data – both when data is stored in the cloud and when data is transferred or shared with business partners. Also, stay up to date on encryption – encryption technologies and processes are evolving rapidly. Organisations that have not reviewed and, where necessary, updated their encryption methods are often vulnerable to attacks.

3. Control, control, control.

Create a device control strategy to identify and control the use of all devices that can store or download data. This not only reduces the risk of bad things entering your network – it can also help prevent sensitive information from being leaked, either accidentally or intentionally. Use application control to track and restrict unnecessary or risky software.

Also consider restricting access to customer information – not everyone in an organisation needs to be able to see customers' personal information. The fewer people who have a genuine need for access, the fewer opportunities there are for attackers to find a weak point and steal data.

It may also be a good idea to separate your networks. Today's cybercriminals want more than just a user's password and a few files – they want access to your back-end databases, your PoS network and your test network. Therefore, consider separating your networks with powerful firewalls that treat your internal departments as potentially hostile to each other, rather than having a single large ‘internal’ barrier against the dreaded ‘outside’.

4. Do not forget the basic safety features.

There are a number of things you should always have in your security toolbox – whether we're talking about protecting personal data in the cloud or elsewhere. For example, make sure you have effective endpoint, network and email protection that filters out most spam, malware and files. Teach your employees to be suspicious of emails, especially those with attachments, and to always report any unusual emails or attachments to the IT department. Unfortunately, there are still far too many company employees who accidentally download malware by clicking on links or attachments in emails.

In addition, you should of course have rigorous password procedures in place, and not allow pet names, birthdays or favourite teams to be used as logins for cloud platforms where sensitive data is stored. If available, you should always implement multi-factor authentication – in fact, many people are now talking about doing away with passwords altogether and using biometric solutions instead.

So-called ‘shadow IT’ is a situation that arises when employees use countless cloud services without your knowledge. Try to get an overview of which services are actually used in your organisation and how they are used. Inform your employees about the highly inappropriate nature of moving sensitive company data to a private Dropbox or similar. Even if it is ‘more convenient’ at the moment, it can greatly increase the risk of the information falling into the wrong hands (especially if the password for the Dropbox account is weak or has never been changed).

Patching quickly and continuously is another very important part of your security work. Known but unpatched security holes are one of the most common attack vectors exploited by criminals. Unfortunately, patching is often neglected and given low priority. Therefore, consider purchasing tools or services that handle patching for you. This will ensure that your operating system and applications are always updated with the latest security fixes.

5. Only save what is absolutely necessary.

Collecting unnecessary customer data is not only a waste of energy and resources, but also provides a larger target for attackers to focus on. It can also easily cause customers to worry and wonder why you need to collect so much information in the first place. So only collect and store what you really need for business purposes. You can also take it a step further and offer customers the option to choose whether or not they want to share personal information with you.

Instead of always trying to get as much as possible out of customer data (many companies still automatically subscribe their customers to mailings immediately after a transaction), once your company has finished communicating with them, consider destroying all data after you have used it. This type of security mindset strengthens customer confidence in your privacy efforts.

In conclusion – make customer privacy everyone's priority

Data protection affects everyone. Customer security is far too critical to be handled by a select few. Once you have comprehensive security procedures and policies in place, ensure that everyone in your organisation understands them and, above all, follows them. For example, you should place extra emphasis on ensuring that your employees understand the potential risks of using their own devices or networks outside the office.