healthcaretechoutlook

Three Considerations for Reducing Risk in Cloud Computing

By Augustine Doe, VP, Enterprise Risk Management, Network Health

Augustine Doe, VP, Enterprise Risk Management, Network Health

Organizations continue to migrate data—one of their key assets—to the cloud for a variety of reasons: optimizing capacity, providing 24/7, 365-day access to data, backing up essential information, and improving collaboration between users. While such increased reliance on the cloud speaks to the multiple benefits the cloud provides, it also is forcing organizations to confront the various risks cloud computing poses. This article summarizes three practical considerations for any organization looking to reduce risk in cloud computing.

1: The types of security both the organization and cloud provider offer for data inbound to the cloud, at rest in the cloud, and outbound to users.

Inbound to the cloud: Encrypted or secured data passage to the cloud always reduces the risk of third-parties being able to intercept the data. This is particularly important for data likely to be used by bad actors for nefarious purposes. Payment Card Information (PCI), Protected Health Insurance (PHI), Personally Identifiable Information (PII), and Non-card Financial, and Confidential are among the most desirable kinds of data to bad actors.

At rest in the cloud: Reviewing the fine print in each cloud agreement regarding the type of security provided by the cloud owner when data is at rest goes a long way to enhancing an organization’s overall cyber posture. Most fee-free cloud storage agreements provide little of any data protection, so an organization needs to perform its due diligence on the type of protection provided by the cloud provider in each cloud agreement.

For instance, depending on the type of data and the location where it will be stored, the level of data security would need to comply with a specific minimum level as required by state, federal, and international laws. The organization should know what level of security their data must have to be compliant with any applicable laws.

Outbound data to users: An organization’s data protection efforts come to naught if data leaving the cloud destined for users do not receive appropriate protection. As part of the organization’s practices for managing third parties (e.g., vendors, reporting agencies, regulators, joint venture partners, franchisees, etc.), users of data should be constantly reviewed for sound data security practices, such as Service Organization Controls (SOC 1 & 2). Also, the organization needs to stay on top of its access, security, and change management protocols and controls and constantly educate employees and third parties about the importance of sharing each type of data through the appropriate medium.

“Encrypted or secured data passage to the cloud always reduces the risk of third-parties being able to intercept the data”

2: An organization should be aware of the type(s) of data in its data value chain most susceptible to loss from cloud usage.

Data containing PCI appears to be the data most desired by bad actors. According to Verizon’s 2016 Data Breach Report, 27 percent of 53, 100 PCI records (using the median value of records for each type of data observed) experienced breach incidents compared to 11 percent of 1,000 PHI records; 48 percent of 761 PII records; and five percent of 55 Non-card Financial records. Because PCI data is most desired, its movement in and out of the cloud should be afforded a higher level of protection, e.g., encryption, as part of any organization’s overall data security management.

3: Organizations should enforce security, change, and access management protocols and controls in real time to reduce risk in cloud computing.

Bad actors are constantly exploring potential weak links to find easy ways to penetrate an organization’s data value chain. The cloud should not be considered a shield nor does it by default make data more secure. Data on its way to the cloud, at rest in the cloud, and leaving the cloud should continue to be managed by the organization’s appropriate security, change, and access management protocols and controls in real time. To assist organizations in performing real-time management, a variety of security firms provide year-round, 24/7 enforcement of security, change, and access management protocols and controls.

Cloud computing has become a staple of many organizations’ operations and several factors suggest both volume and demand will increase. First, the amount of data that organizations must analyze to make sound business decisions continues to grow and therefore organizations need to optimize capacity both to store and analyze data. Second, the ongoing maturation of the service sector in the U.S. economy means, businesses need 24/7 access to data to remain competitive. Third, as bad actors become more and more sophisticated, organizations need to stay extra vigilant not only in protecting data but in having an avenue to recover data and to remediate in the event of corrupted data. Data backup is an excellent fallback position to deploy in the event of corrupted data. Finally, the increasing complexity and interconnectedness of business continues to push organizations to collaborate more with each other and the cloud provides a great avenue for this collaboration.

The optimal approach to managing risk in cloud computing is for an organization to clearly understand the security afforded in its entire data value chain, the types of data that are most susceptible to loss or misuse, and for the organization to continue to enforce security, change, and access management protocols and controls in real time. Only when these steps are taken an organization can feel that it has a robust front for managing and protecting one of its most critical assets.