Protecting Sensitive Data When Migrating To The Cloud

Given the clear benefits of cloud computing it is interesting that there are not more organisations adopting this way of provisioning data-driven IT services for their employees. After all, there is less outlay on technology capital expenditure, less HR spend on IT personnel, and the opportunity to leverage the latest efficient IT solutions. Yet for many organisations, fears about the cloud linger.

One of the biggest issues for banks and financial services companies is to guard against unauthorised access to data, and there are genuine concerns that moving to the cloud will bring about less, rather than more, stringent security controls. Questions are repeatedly raised around how to keep files encrypted as they move to and from the cloud or are sent to customers and business partners via cloud-based services. There is also a lack of understanding about whether a cloud environment will comply with industry-specific and general data protection security regulations, not to mention data leakage, and accessing information from multiple devices.

One of the biggest issues for banks and financial services companies is to guard against unauthorised access to data

The most important decision for a bank or finance company is to select their cloud provider carefully, and ensure that all of their employees use only this approved platform. Enabling multiple platforms has the effect of fragmenting sources and sharing services, reducing the ability to monitor and control the spread of data, and compromising security protocols. Without access to a corporate-approved cloud platform, the temptation is for employees to use free, unsecure cloud environments just to ‘get the job done’, and the danger is that the IT department may not even be aware of it.

Another consideration is the lack of physical control. If someone wants to steal data from an on-site data centre, they have to physically enter the building to access the systems that house the sensitive documents. But with the cloud, if credentials are stolen, it is difficult for organisations to retrospectively restrict document access. On premises, sensitive data is the priority of the company. For cloud providers, however, the priority is giving access to their platforms 24/7, even if security is taken seriously.

Case in point - Banks

At all costs, banks and financial advisory firms must avoid the loss of capital and ensure there is no capacity for unauthorised users to access data that could lead to them taking the institution’s money somewhere else. The challenge lies in letting appropriate data be available to appropriate authorised users but also making sure all financial assets can be dealt with as if they were located within the walls of the institution’s datacentre and only accessed by trusted individuals.

Case in point - Insurance

Because so many customer interactions take place in the field, insurance companies can benefit greatly from collaborating in the cloud. At the same time, firms must prevent fraudulent activity where unauthorised users attempt to modify claims for their own benefit. Of course, personally identifiable client information must also be protected from unauthorised access.

The challenges

Companies must make sure they keep every-day file exchanges — financial statements, accounts records and policy documents—as fully-protected as possible, whether at rest or in transit. This is made more difficult by the security issues that relate to rapidly-evolving technologies such as mobility and the Internet of Things (IoT), both of which are looking to access services and data running in the cloud.

The expansion of devices supported by the cloud also opens businesses up to more insider threats since super-admins can impersonate other end users to access their data. This can happen even without users (including senior management) realising the admin is viewing their files.

Financial organisations also need to monitor whether employees might take advantage of the cloud— intentionally or accidently—to “over-share” their documents. Eager to get more business done, they may allow customers or business partners to see things they shouldn’t. The sharing of data may also grow or “creep” beyond the initial partnership agreement, letting more external users access more information than they should be allowed.

Another challenge is “Man-in-the-Middle” attacks where hackers secretly relay and possibly alter communications between two parties who believe they are directly communicating with each other.

Many of these challenges stem from the development of ‘shadow IT’ practices that the availability of cloud services enables. This means that unless employees are restricted to a corporate cloud, they are likely to look for ways to collaborate and share files with each other as well as their trusted contractors, service providers and partners. Clearly stated and understood usage rules need to be applied.

Mind the gap

Device-based encryption, also referred to as hard disk and removable drive encryption allows data on the drive to be protected. This approach works well if the device (such as a laptop or USB drive) is lost or stolen. The challenge comes when a user is logged into the device and the data is unencrypted while they work on a document. Without additional protections, the data can then be used (unencrypted) in other apps running on the device and sometimes even leave the device through the network. The data can then be uploaded, unprotected, to another device via a cloud platform or email.

To overcome device and disk-based encryption gaps, data can be classified by a technique often called data loss prevention (DLP). This ensures data does not leave the device nor the network based on policies and rules. However, the data classification approach also presents several challenges in terms of which data files need to be encrypted; configuring the decryption policies and rules and applying them appropriately.

Policies can become outdated before they even go into effect. For example, a policy might be set to block external sharing of information that contains personally-identifiable information. So it might block data if, for example, a file contains a driver’s license number and an address, which leads to some questions:

  • hat happens if the information is needed to, for example, complete a loan agreement, or for an insurance claims adjuster to complete a claim?
  • What happens if the information is needed by a partner to complete the paperwork?
  • When, how and via what devices can the file be accessed (such as a smartphone)?
  • If a security policy change is made, is it an exception or does it become a rule?
  • If it becomes a rule, who does the rule apply to?
  • Does the rule last “forever” or does it expire after the business case disappears?

When moving to the cloud, DLP solutions work similarly to disk-based encryption, meaning the data is encrypted before it leaves the network and heads to the cloud. The challenge, similar to disk-based encryption, is that the data cannot be used in the cloud if it is encrypted. Device-based encryption and DLP certainly can play a role in protecting on-premises data at rest. But to completely protect files—as they leave the company and go into the cloud or onto devices and networks outside the organisation’s direct control—IT needs to apply a third security approach. The goal should be to encrypt data at rest—on devices, in file systems, on removable drives, on the network AND as it moves to the cloud.

When encrypted data moves to the cloud, employees should still be able to access the information from the cloud using other devices and applications they’ve been granted rights to use. The answer to achieving this goal: Combine centralised security controls and rules with the option to give end users the ability to apply encryption to the files they handle.

Employee Applied Encryption

Enabling employees to apply encryption allows them to create their own trusted circle of collaborators in order to view the files. Wherever files go, they’re encrypted, and employees have the freedom to conduct business and improve their productivity while still protecting digital assets. Combining this approach with centralised controls and rules creates a powerful security defence system, putting the power in the hands of the users while keeping the ultimate control within IT. This method also reduces the amount of time spent by IT on securing documents. Users can select the data they need to get their jobs done—without having to wait for approval from IT or wait as IT updates the list of approved collaborators and supporting policies. In addition to making sure data is not at risk, this approach keeps data more searchable and sortable for internal employees. In addition, secure file exchanges can occur among internal and external collaborators, including temporary employees and remote employees.

From the perspective of IT and the business, data remains protected from unauthorised access and accidental disclosure. Data is also protected from access by vendors, super-admins and government surveillance. The technology is available for apps running on laptops, desktops, tablets and smartphones. Even though it’s applied by users, IT can still define, manage, enforce, track, audit and report on data protection policies for the company. Individual users can also be monitored to make sure they use the technology correctly, and IT can still see how far and wide data travels inside and outside the organisation.

In essence, while end users gain front-line control, their data handling actions are completely transparent to, yet completely controlled by, the organisation. While the control is there, end-user content remains protected, even from super-admin eyes in IT.

Also published on Finance Digest Magazine :

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]

About the author

Jocelyn Krystlik
Business Unit Data Security Manager, Stormshield

Jocelyn has varied experience in security: he spent eight years in consulting and product management for Arkoon until it was bought out by Stormshield’s parent company, Airbus. Since 2014, he has been helping Stormshield's clients reduce their exposure to threats by providing expertise, advice, and training in data security, especially in the cloud. He played a key role in bringing Security Box, a corporate data security product, to market. He is now Manager of the Data Security Business Unit.