Cloud Data Security’s “New Normal”

The team at Computer Futures recently organised our second online Tokyo Cyber Security Meet-up, welcoming Doug Neuman, co-founder of this meet-up community, as our guest speaker. Neuman gave us some interesting insights surrounding the topic, ’Data in the cloud: What you need to successfully migrate and manage your data in the public cloud (AWS, GCP, Azure)’ followed by an engaging Q&A session.

You can see the full recording and a summary from the session below.

Want to know a little more about what was discussed? Look below.

 

What has changed from a Security Standpoint?

The current security model is no longer working in many aspects. For example, with the switch to remote working, perimeter security is irrelevant. The same thing can be said for any endpoint protections as people access data from many different devices, such as smartphones, tablets, or other IoT devices. Application security isn’t going away, but it is changing – as more data goes into the cloud, different controls will be needed. So the primary security investments should be in cloud security, identity and access, and data security. 

 

Types of the Cloud

There are three main cloud services in the market (as introduced below), and the key difference among them is where the data is stored. Wherever the data is, access can be given through many avenues, including web browsers, desktop applications, mobile applications, and so on.

  • IaaS (Onfrastructure as a Service)

Companies offering IaaS services include AWS, Microsoft Azure, Google Cloud, and IBM Cloud.

Service offering: Cloud infrastructure

Pros: scalable and therefore cost is manageable. Also, companies can have control over the software and hardware.

Cons: companies are responsible for the security

 

  • Paas (Platform as a Service)

Companies offering PaaS services are very similar to IaaS providers, including AWS, Microsoft Azure, Google Cloud and IBM Cloud.

Service offering: Cloud-based platform services that provide developers with a framework where they can use to build customs applications upon.

Pros: easy to build applications without the purchase of hardware or setup of common software stacks.

Cons: dependent on the provider infrastructure. So, if it goes down, your app goes down.

 

  • Saas (Software as a Service)

Companies offering IaaS services include Dropbox, Salesforce, Netflix, and Facebook.

Service offering: Cloud-based software hosted online. It’s available for purchase on a subscription basis.

Pros: quick and easy access to functionality without having to install or manage software.

Cons: relying on the third party to secure your data.

 

Interestingly, there’s a layer to all of these services. For example, Netflix is a SaaS service for customers but at the same time one of the biggest users of AWS’s IaaS service.

 

How does cloud change data?

You may have heard the popular saying that “data is the new oil”. This highlights just how important good data is for companies to build successful businesses.

One of the biggest changes in the data that has been seen in recent years is volume. Previously, BYOD (Bring Your Own Device), SaaS, and remote work made data much more widespread in terms of location. But this does not necessarily mean the amount of data increases - this is more about the same data being accessible from multiple platforms. In comparison, today we are creating more data than ever before as there is so much storage room in the cloud. On average, every second we produce data that is equivalent to a floppy disc (1.7MB). Every time you send a message on your mobile phone or post photos on social media, you are creating data.

It’s also becoming increasingly common for business partners to share data in the cloud. However, the question is,  do we know how the partners take care of data? Sharing data means sharing responsibility - especially when the data breach happens. But according to the recent survey conducted by Oracle and KPGM, only 8% of the respondents understand the cloud security shared responsibility model for all types of cloud services. Still, cloud usage will only increase in the future, and it will be even more important to understand how we are responsible for our data in the cloud.

 

What do we need do to in the future?

Traditional data security systems such as McFee or Symantec are never made for the volume of data we are creating today. Previously, all we had to secure the corporate perimeter, but today, as we move to the cloud, we need to secure all our IT assets. And in the future, we must secure the data itself.

There are new solutions such as CSPM (Cloud Security Posture Management) that automatically assess your cloud environment against best practice and compliance standards and CASB (Cloud Access Security Brokers) that are on-premises, or cloud-based security policy enforcement point. Implementing these solutions will help strengthen the security, but there are five big questions to ask in order to protect your data and that’s where OpenRaven is now working on to offer solutions:

 

  • Do you know where your data resides in the cloud?

To answer this, you need to proactively locate data. Now, data are used by many different teams and departments, so it must involve everyone’s awareness.

  • Do you know which data is sensitive?

Because there is so much data, it’s impossible to handle all of them. Therefore, data classification is necessary to identify which data you should protect.

  • Do you know if any sensitive data is exposed at risk

Constant monitoring and looking for incidents will be required.

  • Would you know if it left your environment?
  • Could you stop it?

You need to be prepared for when your data leaks – is there a way to find this out and anything you can do to stop this?

 

Questions from the audience

Q: What advice would you give to an organization with a hybrid environment or environment that is moving to the cloud?

A: When organisations migrate their data to the cloud, I often see they throw all the data into the cloud. But I highly recommend classifying the data first to get a better understanding of them.

Another important thing is you must talk to the teams and know their needs. A team effort will be required to avoid shadow IT and successful cloud migration.

 

Q: What are the major vulnerabilities present during a cloud migration? Which of these are more prevalent in the Japanese context?

A: Even before you start thinking about data migration, you need to understand what your cloud provider can provide you from a security standpoint and what is their responsibility, as well as your responsibility.

 

Q: In your opinion, is there less visibility into Japanese data breaches because they don’t announce them as they don’t have GDPR or are Japanese companies simply targeted less?

A: I think Japanese firms are as much targeted as ones in other countries, but they just don’t talk about it. Generally, Japan market lacks security knowledge and that is part of why we do Cyber Security Meetup to increase people’s awareness about security.

 

Get in touch with us

We appreciate the valuable session Doug Neuman delivered again and we’re looking forward to having another opportunity. As an expert in tech careers, we are passionate about building niche, local and open-to-anyone community of tech professionals through online events. If you’re interested in our future events to widen your network and knowledge, please sign up here. You can see our latest job opportunities here to see what is available for your future. Feel free to contact us for more industry insights or discuss your recruitment needs.