A recent survey by BetterCloud finds that, on average, enterprises are using 80 separate third-party cloud applications to collaborate, communicate, develop, manage contracts and HR functions, authorize signatures and otherwise support business functions that process and store sensitive data. These types of apps are referred to as SaaS (software as a service).
Organizations are also spinning up applications and entire businesses on public platforms (PaaS, or platform as a service) and infrastructures (IaaS, or infrastructure as a service). In 2020, 76% of enterprises ran their applications on Amazon Web Servers (AWS) and 63% ran apps on Microsoft Azure.
These public cloud services are all necessary and productive, and even hold promise of a more secure environment than traditional data centers, says Michael Johnson, advisor to and former CISO of Capital One. However, they also bring unique risks to sensitive data being processed and stored in these clouds, and most of those risks are caused by customer error in the setup and management of those services.
Johnson guided Capital One through a public incident in 2019 that exposed 80 million personal records. In it, the attacker took advantage of a poorly configured third-party cloud environment. Johnson and his team contained the breach and helped get the data thief arrested quickly before any data was exploited thanks to a strong response plan, transparency with the board and executive team, and pre-existing relationships with law enforcement.
Having a response plan that addresses the risks of placing sensitive data in the cloud should be part of any cloud security policy. To start on data protection policies for public cloud usage, it’s important to know how data from public third-party cloud services can be exposed or stolen.
