Are you really securing your customer data?

Are you really securing your customer data?

If anything, recent breaches have highlighted that even with many other security controls in place, cloud workloads, databases, API’s and SaaS Application security remain an issue for organisations. Why is this?

It certainly seems that there is a misunderstanding of our shared responsibility for security when it comes to cloud services and SaaS applications. Considering the adoption of cloud, recent breaches seem to indicate that organisations are ill prepared to protect their cloud systems (and customer data) from compromise, often relying on legacy security controls to protect their modern workloads, containers and SaaS applications or believing that their cloud service provider or third parties will take care of security.

Many organisations have no way to govern their external partners to ensure security best practices, compliance mandates and corporate cyber policies are being followed.

Securing a modern cloud centric organisation requires controls across the User Plane, Control Plane and the Data Plane:

1.??????User Plane - Protect the user or customer profile by example:

  • Identifying and protecting high risk individuals
  • Delivering security education for users and providing security guidance for customers.
  • Using strong authentication, to ensure onboarded users are who they say they are.
  • Deploying MFA and investigating passwordless options that suit your business or your customers.
  • Managing the lifecycle of your user access to ensure the right person has access to the right resource, at the right time.
  • Using behavioral analytics and insider threat technologies to ensure even legitimate insiders are using the systems as authorised.

?2.??????Control Plane - Protect workloads, containers, and SaaS applications for example by:

  • Regularly assessing configurations of these cloud instances and applications against best practice and corporate policy to detect vulnerabilities and configuration drift.
  • Regularly assessing your applications and workloads against your corporate and regulatory compliance standards.
  • Deploying cloud-native security controls such as run-time protection for modern workloads such as containers and workloads as code.
  • Integration of security controls with ticketing systems to track and streamline the remediation of misconfigurations.

?3.??????Data Plane (Knowing where your crown jewels are and protecting them) for example by:

  • Assessing where your most important data is so you can adequately protect it.
  • Assessing data access configuration, ensuring the right users/roles have the right access & stop data exposures to the external world.
  • Only keeping data that is absolutely necessary.
  • Identify all third parties connected to your SaaS Platforms and create an approved/deny list.
  • Continuously assessing custom platform code for vulnerabilities.
  • Encryption of data where possible.

In summary, addressing the problem of Cloud security does not need to be a complicated matter, it requires protecting our users from compromise, continuous assessing the security and compliance posture of our cloud services and ensuring our SaaS applications are correctly configured to protect the data they process and store.

Dhara Mishra

Join our 10th Anniversary at B2B Global Conference on 25th of October at Parramatta | Up to 50 exibitors | 10 plus sponsor | 200+ Attendees

1 年

Paul, thanks for sharing!

回复
Sean Coady

ANZ Sales @ Qualys | Sales and Channel Strategy

2 年

Paul, RE: "encryption where possible". Encryption is useful but also comes at a cost. 1. CPU. 2. Can be stolen outright (and later cracked or held to ransom) or locked (data stays in the environment but is double encrypted). In most cases, it isn't a modern design principle when securing data. Replacing any data source with a token that has data integrity allows an organisation to focus on ensuring the "who has access" as any unauthorized users would be stealing the tokenized data (not important). With that being said, knowing what your crown jewels are is a fundamental practice. My observation is that most organisations are approaching this with tools that scan against known applications and databases. Where they struggle is the dark corners where data still resides but falls outside of corporate data governance. I still struggle to understand what is the point of data classification on just data you know to be held when most organisations have 20-30% of data held through shadow IT, replicated DB, and old and not retired test platforms. Even incorrectly disposed hard drives have been found in 2022.

要查看或添加评论,请登录

Paul Friend, MBA的更多文章