On movie screens across the globe, Batman battles Superman in fear of reckless power left ungoverned. Like Superman draws his power from the sun, the cloud imbues organisations with remarkable power and flexibility. Yet, with great power comes great responsibility. Organisations must wield it effectively and protect users and their data, lest shadow IT creeps up, and hackers strike. Such risks have given birth to data protection regulations across Asia, from Singapore and Taiwan’s PDPA, to Hong Kong’s PDPO.
The double-edged blade of cloud adoption
The exacting business landscape requires businesses to stay nimble, and cloud adoption in Asia is part of that strategy. Today, 72% of organisations have at least one application in the cloud or a portion of their computing infrastructure in the cloud, up from 61% in 2013. And why not – cloud services like Salesforce, Google Drive, and Office 365 offer cost-savings, scalability, resiliency, and accessibility.
But there is a dark side to the cloud. Organisations risk losing control. Unsanctioned use of SaaS can and will expose valuable or sensitive data to the wrong parties. Attackers no longer need to make the effort to break into layered defences deployed by organisations, they need only to gain access to the cloud account. Like a tidal wave, large-scale, high-profile attacks and leaks have disclosed names, addresses, credit card numbers, and more to a world. Ransomware is a very real threat that has evolved to target cloud services.
The regulations are our safety checks, meant to ensure proper infrastructure and protocol. As an organisation, how do you stay as the superhero and not just live long enough to become a villain?
1. Ensure data sovereignty
Information can be stored in the cloud, yet it doesn’t really leave the organisation. It’s the best of both worlds. How? Tokenisation and encryption. Tokenisation means that a representation of the data is kept at the cloud, but the real data is stored within the company premises. Correctly implemented, it has no impact on users or performance, and data sovereignty is maintained. The beauty is that it matters not where or in how many data centres the data is replicated, the actual, identifiable content of personal information, credit card number or other sensitive content has to be referenced back to the organization.
2. Ensure visibility
Superman can’t protect Metropolis blind. Similarly, you need to know exactly what cloud services your users are accessing. Proper visibility and policies is your first step to proactively safeguard against unauthorised usage and social engineering. Picture a scenario where a hacker tries to brute force a cloud account, or there are login attempts from multiple countries, with visibility, alerts would be easily triggered. Anomalous behaviour such as huge downloads, or attempts to encrypt a large amount of files could signify attempts to steal data or ransomware in place.
3. Ensure data protection
Accidental breaches are one of the main causes of information leakage. Companies are shamed when private data is uncovered to have been unwittingly shared. The main reason for this happening? The cloud makes it almost too easy to share files. Within two clicks, data can be categorised as “share with everyone”. Hence, we need to go beyond traditional Data Loss Protection strategies, adequately classify data stored in the cloud for what can and cannot be shared, and put mechanisms in place to ensure the policy is enforced.
The Wonder Woman of this story is Cloud Access Security Broker (CASB). Independent of your cloud service providers, CASB will mitigate the risk of shadow cloud applications while enabling the secure use of sanctioned applications across your organisation. Be the superhero, arm yourself with the correct tools in your cloud adoption strategy, and data protection regulations will become mere fences your company easily soars over.