Are you really securing your customer data?
Paul Friend, MBA
Cybersecurity Compliance & Advisory | ARN Innovation Award winner
If anything, recent breaches have highlighted that even with many other security controls in place, cloud workloads, databases, API’s and SaaS Application security remain an issue for organisations. Why is this?
It certainly seems that there is a misunderstanding of our shared responsibility for security when it comes to cloud services and SaaS applications. Considering the adoption of cloud, recent breaches seem to indicate that organisations are ill prepared to protect their cloud systems (and customer data) from compromise, often relying on legacy security controls to protect their modern workloads, containers and SaaS applications or believing that their cloud service provider or third parties will take care of security.
Many organisations have no way to govern their external partners to ensure security best practices, compliance mandates and corporate cyber policies are being followed.
Securing a modern cloud centric organisation requires controls across the User Plane, Control Plane and the Data Plane:
1.??????User Plane - Protect the user or customer profile by example:
?2.??????Control Plane - Protect workloads, containers, and SaaS applications for example by:
?3.??????Data Plane (Knowing where your crown jewels are and protecting them) for example by:
In summary, addressing the problem of Cloud security does not need to be a complicated matter, it requires protecting our users from compromise, continuous assessing the security and compliance posture of our cloud services and ensuring our SaaS applications are correctly configured to protect the data they process and store.
Join our 10th Anniversary at B2B Global Conference on 25th of October at Parramatta | Up to 50 exibitors | 10 plus sponsor | 200+ Attendees
1 年Paul, thanks for sharing!
ANZ Sales @ Qualys | Sales and Channel Strategy
2 年Paul, RE: "encryption where possible". Encryption is useful but also comes at a cost. 1. CPU. 2. Can be stolen outright (and later cracked or held to ransom) or locked (data stays in the environment but is double encrypted). In most cases, it isn't a modern design principle when securing data. Replacing any data source with a token that has data integrity allows an organisation to focus on ensuring the "who has access" as any unauthorized users would be stealing the tokenized data (not important). With that being said, knowing what your crown jewels are is a fundamental practice. My observation is that most organisations are approaching this with tools that scan against known applications and databases. Where they struggle is the dark corners where data still resides but falls outside of corporate data governance. I still struggle to understand what is the point of data classification on just data you know to be held when most organisations have 20-30% of data held through shadow IT, replicated DB, and old and not retired test platforms. Even incorrectly disposed hard drives have been found in 2022.