As a kid, I remember being proud of the stamps in my passport so I could show my grandparents which countries I had visited. Nowadays, there are only a few countries that even issue stamps for a passport. Going from country to country has been made easy.

When you (as an organization or an individual) put data into the cloud, you know that you are handing it over to a provider who may have data centers in many places, countries or even continents. These days, most people understand that storing data in the cloud means that your data needs to be physically stored on a device somewhere, though it is accessible anywhere. What most people don’t realize is where their data is going, where it travels through and where it is heading next.

Data Travels in the Cloud

As your cloud data traverses the world, it would be nice if you knew where it went. Governments are increasingly demanding that organizations can verify where the data they upload to the cloud goes. They are holding the uploaders accountable — in some cases even penalizing them if data passes certain borders unexpectedly or without permission.

For a regular customer using a cloud-based application, it is not easy to understand where the data you are accessing is really stored. The application or platform provider may be based in London, but the servers might be in Amsterdam, the U.S. or the Far East. Your data may reside in a data center in the U.K. today but be moved to Bangalore as part of an optimization process tomorrow.

And what about those cloud and mobile applications that you never authorized? Thanks to transformations in cloud and mobile, employees can sign up for new digital services with only a few clicks. Some of these tools and cloud-based technologies give employees immediate access to the productivity and collaboration they need to do their jobs much more efficiently than established or authorized apps allow. It’s the way people now want to work.

Whether it’s allowed by employers or not, they’re still going to use outside tools and upload company data to them. In a recent study, it was discovered that 1 in 3 employees at Fortune 1000 companies share and upload corporate data on third-party cloud apps.

Approaches to Data Protection

Organizations realize they need to deal with this challenge, and we see two possible starting points.

1. Legal/Procedural Approach

During the formal acquisition process for a new cloud, mobile or software-as-a-service (SaaS) provider, organizations may have to go through a step in which they involve the legal department to ask a series of questions related to business risk, data privacy and compliance. The legal team may have a checklist and can ask the cloud vendor to document the flow of the data. They may even require specific legal contracts such as EU model clauses to be put in place to govern data privacy requirements as per individual country laws.

This approach works well in situations where authorization of the use of cloud apps and services is formally requested. However, the reality is that many cloud and SaaS applications are activated by employees without prior authorization from the employer. Furthermore, the setup of the cloud provider may change. How do you ensure your organization is on top of this so-called shadow IT, and how do you deal with changes over time?

2. Network/Security Approach

Your organization may have already deployed technologies capable of analyzing network traffic such as Web application firewalls (WAF), intrusion detection solutions (IDS) or intrusion prevention systems (IPS). If these technologies cover the entire enterprise network, they can provide a good starting point for analyzing the extent of unauthorized use. If such technologies only cover part of the network, ask if there is appetite to make further capital investments in network hardware or if it is more efficient to consider SaaS to support the automated detection phase.

Organizations should integrate their legal/procedural approach with their network/security approach to gain the appropriate insight into the risk and mitigation associated with cloud security.

Ask the Right Questions

Related to cloud security governance, organizations should ask themselves the following questions:

  • What SaaS, cloud and mobile applications do your employees use?
  • Can you leverage existing technology for inspecting network traffic? Is there an opportunity to introduce automated discovery technology that can help discover authorized and unauthorized SaaS use and country-level data flows?
  • Have you made an inventory of the specific risks associated with cloud, SaaS and mobile for your organization? Did you design specific business controls to mitigate the risks related to cloud security?
  • Do you require the business owners of SaaS, cloud and mobile applications to comply with a cloud security governance process that checks against a series of business controls?

It all comes down to your appetite for taking risks. Organizations should design their cloud security governance process based on their own profile and policy, the requirements of the industry and geography they operate in and their own specific preferences.

More from Cloud Security

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Cloud threat report: Possible trend in cloud credential “oversaturation”

3 min read - For years now, the dark web has built and maintained its own evolving economy, supported by the acquisition and sales of stolen data, user login credentials and business IP. But much like any market today, the dark web economy is subject to supply and demand.A recent X-Force Cloud Threat Landscape Report has shed light on this fact, revealing a new trend in the average prices for stolen cloud access credentials. Since 2022, there has been a steady decrease in market…

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today