As a kid, I remember being proud of the stamps in my passport so I could show my grandparents which countries I had visited. Nowadays, there are only a few countries that even issue stamps for a passport. Going from country to country has been made easy.

When you (as an organization or an individual) put data into the cloud, you know that you are handing it over to a provider who may have data centers in many places, countries or even continents. These days, most people understand that storing data in the cloud means that your data needs to be physically stored on a device somewhere, though it is accessible anywhere. What most people don’t realize is where their data is going, where it travels through and where it is heading next.

Data Travels in the Cloud

As your cloud data traverses the world, it would be nice if you knew where it went. Governments are increasingly demanding that organizations can verify where the data they upload to the cloud goes. They are holding the uploaders accountable — in some cases even penalizing them if data passes certain borders unexpectedly or without permission.

For a regular customer using a cloud-based application, it is not easy to understand where the data you are accessing is really stored. The application or platform provider may be based in London, but the servers might be in Amsterdam, the U.S. or the Far East. Your data may reside in a data center in the U.K. today but be moved to Bangalore as part of an optimization process tomorrow.

And what about those cloud and mobile applications that you never authorized? Thanks to transformations in cloud and mobile, employees can sign up for new digital services with only a few clicks. Some of these tools and cloud-based technologies give employees immediate access to the productivity and collaboration they need to do their jobs much more efficiently than established or authorized apps allow. It’s the way people now want to work.

Whether it’s allowed by employers or not, they’re still going to use outside tools and upload company data to them. In a recent study, it was discovered that 1 in 3 employees at Fortune 1000 companies share and upload corporate data on third-party cloud apps.

Approaches to Data Protection

Organizations realize they need to deal with this challenge, and we see two possible starting points.

1. Legal/Procedural Approach

During the formal acquisition process for a new cloud, mobile or software-as-a-service (SaaS) provider, organizations may have to go through a step in which they involve the legal department to ask a series of questions related to business risk, data privacy and compliance. The legal team may have a checklist and can ask the cloud vendor to document the flow of the data. They may even require specific legal contracts such as EU model clauses to be put in place to govern data privacy requirements as per individual country laws.

This approach works well in situations where authorization of the use of cloud apps and services is formally requested. However, the reality is that many cloud and SaaS applications are activated by employees without prior authorization from the employer. Furthermore, the setup of the cloud provider may change. How do you ensure your organization is on top of this so-called shadow IT, and how do you deal with changes over time?

2. Network/Security Approach

Your organization may have already deployed technologies capable of analyzing network traffic such as Web application firewalls (WAF), intrusion detection solutions (IDS) or intrusion prevention systems (IPS). If these technologies cover the entire enterprise network, they can provide a good starting point for analyzing the extent of unauthorized use. If such technologies only cover part of the network, ask if there is appetite to make further capital investments in network hardware or if it is more efficient to consider SaaS to support the automated detection phase.

Organizations should integrate their legal/procedural approach with their network/security approach to gain the appropriate insight into the risk and mitigation associated with cloud security.

Ask the Right Questions

Related to cloud security governance, organizations should ask themselves the following questions:

  • What SaaS, cloud and mobile applications do your employees use?
  • Can you leverage existing technology for inspecting network traffic? Is there an opportunity to introduce automated discovery technology that can help discover authorized and unauthorized SaaS use and country-level data flows?
  • Have you made an inventory of the specific risks associated with cloud, SaaS and mobile for your organization? Did you design specific business controls to mitigate the risks related to cloud security?
  • Do you require the business owners of SaaS, cloud and mobile applications to comply with a cloud security governance process that checks against a series of business controls?

It all comes down to your appetite for taking risks. Organizations should design their cloud security governance process based on their own profile and policy, the requirements of the industry and geography they operate in and their own specific preferences.

More from Cloud Security

Risk, reward and reality: Has enterprise perception of the public cloud changed?

4 min read - Public clouds now form the bulk of enterprise IT environments. According to 2024 Statista data, 73% of enterprises use a hybrid cloud model, 14% use multiple public clouds and 10% use a single public cloud solution. Multiple and single private clouds make up the remaining 3%.With enterprises historically reticent to adopt public clouds, adoption data seems to indicate a shift in perception. Perhaps enterprise efforts have finally moved away from reducing risk to prioritizing the potential rewards of public cloud…

AI-driven compliance: The key to cloud security

3 min read - The growth of cloud computing continues unabated, but it has also created security challenges. The acceleration of cloud adoption has created greater complexity, with limited cloud technical expertise available in the market, an explosion in connected and Internet of Things (IoT) devices and a growing need for multi-cloud environments. When organizations migrate to the cloud, there is a likelihood of data security problems given that many applications are not secure by design. When these applications migrate to cloud-native systems, mistakes in configuration…

New cybersecurity sheets from CISA and NSA: An overview

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have recently released new CSI (Cybersecurity Information) sheets aimed at providing information and guidelines to organizations on how to effectively secure their cloud environments.This new release includes a total of five CSI sheets, covering various aspects of cloud security such as threat mitigation, identity and access management, network security and more. Here's our overview of the new CSI sheets, what they address and the key takeaways from each.Implementing…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today