In a recent survey, 84% of organizations reported finding it difficult to maintain security configurations across their cloud services. Organizations across industries are struggling to protect their valuable information, in part because they don’t understand the extent of security measures built-in to cloud platforms. As a result, Gartner predicts that 95% of all cloud security failures (through 2020) will be primarily the customer’s fault.
An easy way to uncover vulnerabilities in cloud security is to create and maintain a cloud security policy. Regularly updating your cloud security policy – or creating one if none exists at your company – can provide insight into where your cloud security systems aren’t protecting your data sufficiently or identify where your configurations need to be updated.
Whether you’re starting from scratch or simply looking to update your existing strategy, here are some suggestions for updating your cloud security strategy.
What goes into a cloud security policy?
This type of policy is one of those cloud security basics that many organizations overlook in the process of installing tools and platforms to protect valuable information. It’s not enough to simply install a firewall and VPN; cloud security policies set forth guidelines and restrictions for users on cloud and SaaS programs to ensure the security and privacy of company-owned and customer data.
A cloud security policy is a living document that reflects the business’s unique combination of systems, configurations, cloud tools, and requirements for running operations smoothly and securely. It should lay out the company’s long-term objectives related to security and risk tolerance. Generally speaking, a cloud security policy will cover:
- Industry-wide or standard regulatory compliance requirements, as well as the current compliance status;
- An architectural assessment of the current cloud systems and what is technically feasible to design, implement, and enforce;
- Organizational culture and preferences – such as any policies around remote work, working with contractors, or BYOD rules;
- Industry best practices;
- An outline of stakeholders responsible for addressing different cloud security risks and outcomes.
Developing a cloud security policy is a coordinated effort from your business’s developers, IT security team, and management. A cloud security policy must clarify roles and responsibilities related to cloud security: who is in charge of provisioning user credentials? What is the approval process for adding new features to your cloud platforms? Who is in charge of updating software for your cloud security tools? Make sure these are all addressed from the start to prevent vulnerabilities from growing over time.
Steps to updating your cloud security policy
Formulating a cloud security policy for your organization helps guide employees, contractors, and other users who might be working on shared platforms like Google Drive and Slack. By going through these steps, you can identify where there might be vulnerabilities in the tools and platforms you have installed to prevent cyber attacks. It’s also a great way to mitigate the risk of insider threat.
1. Update governance and compliance processes
Review your organization’s security, privacy, and compliance policies to make sure they’re reflective of your current working environment. Since the beginning of 2020, many companies have shifted to remote work, making quick adjustments to enable employees to work from home. Many of those solutions were short-term; remote work, however, appears to be here to stay. Your cloud security policy should recognize this new paradigm and incorporate long-term security solutions for those working remotely.
As Deloitte notes, there’s also a fair amount of uncertainty around new compliance regulations. “Amid regulatory and political uncertainty, compliance leaders must consider changing requirements and supervisory priorities, reporting mandates, stimulus packages, new guidance, and more,” said the report. Review the latest COVID-19 relief bill to see if there are any regulatory changes that may impact your cloud security configurations.
2. Check for updates to cloud partner security practices
As part of your cloud policy update, assign a team member to do the due diligence of reviewing any existing or new cloud vendor security practices. In early 2020, for instance, Google tested a new feature that allowed users to share folders in shared drives. This meant that users could let Google Drive managers give access to specific folders, providing an added layer of control to data sharing. Google Drive also became Google Workspace, an update that brought a slew of new security measures across Google’s suite of products. Update your cloud security policy to incorporate these big updates and factor in how changes to your cloud services may leave some areas open to attack.
3. Review user access
The start of the year is also the perfect time to review who has access to your cloud platforms. Establish clear roles and protocols around user account access, down to the application level. Make sure there’s a procedure in place for specifying how access is logged and reviewed.
Take the time to go through and make sure only those who need access to your cloud platforms still have it. Remove users who no longer work with your organization. Change permissions where necessary. Make this process part of your cloud security best practices and regularly review provisioning to align with the principle of least privilege.
4. Layer your security
Security within your cloud platforms is imperative, but that’s not the only area your cloud security policy needs to consider. Your IT team also needs to think of data moving in and out of the cloud. How can you cover the security of your connection using SSL, VPNs, data encryption, and network monitoring?
In addition to cloud DLP solutions, add new layers of security in the form of network, endpoint, and storage data loss prevention. Use your cloud security policy to outline how these tools will work together to form a holistic data protection strategy.
5. Brief users on new threats
External threats are on the rise and constantly evolving in light of the pandemic. In fact, 91% of businesses reported an increase in cyberattacks during the coronavirus outbreak. Ransomware and advanced phishing attacks target employees who are unaware of the risk. Reliance on remote work also adds new devices into the mix, bringing new opportunities for hackers to get into your network to steal data.
Your cloud security policy should include training for your non-IT employees who may not know best practices for sharing information on the cloud. It should also provision for a failsafe like Nightfall, a cloud-native DLP platform that monitors for data leaks before they happen. Nightfall is able to discover, classify and protect messages that contain sensitive information, such as API keys or personally identifiable information (PII). It also gives you the power to set custom actions to prevent the data from leaking outside the organization. Nightfall’s machine learning trained detectors work in the background, automatically alerting users when they share sensitive data across your cloud applications.
6. Schedule audits throughout the year
You should make time throughout the year to regularly check your configuration, review your policies, and upgrade your tools to remain ahead of the latest threats. Make sure you delegate this task to a specific person or department.
A cloud security policy works best when married with the right cloud data loss prevention tools. Schedule a demo to see how Nightfall integrates with Slack, GitHub and Google Drive to identify, classify, and protect the data you need to keep secure. Save your business time and energy with Nightfall’s AI, which can detect 100+ types of sensitive data: from addresses and names to passwords, and credit card numbers. Nightfall can provide the first, automated layer of defense against data leakage in your cloud portfolio, and works as a building block to upholding your DLP policies.