As someone who spends his professional life worrying about data security, these days I find myself both ecstatic and also a little bit concerned about how rapidly so many enterprises are moving their information technology into the cloud.
With the outbreak of COVID-19, the math has changed, and many industries have looked for solutions they can implement quickly to make them more agile while also saving on costs.
Microsoft CEO Satya Nadella rightly observes that the situation has compressed 2 years of digital transformation into 2 months.
With the change in financial outlooks, migration to the cloud has been one of the prime strategies that companies have identified as fulfilling both cost savings and agility goals.
Don’t get me wrong: Cloud migration is a wonderful business decision with tremendous upside for all industries and companies. With all the potential for good, however, there are still security concerns that must be addressed but often aren’t.
What this means for insurance
For insurance companies, the upside of cloud migration is pretty straightforward: They save a good deal of money and gain more flexibility. With cloud options companies no longer need to purchase the solution and then go through the weeks to months-long process of integrating new software to gain the functionality they were after. Organizations simply sign up, get a connection, and immediately start benefiting from the cloud service.
But along with these tremendous upsides, insurance companies also gain new security concerns from cloud environments because they process and store tremendous amounts of sensitive consumer data and personally identifiable information (PII) such as Social Security numbers, bank account numbers, dates of birth and payment card numbers. This makes insurers particularly attractive targets for cyber attackers.
According to industry analysts, hackers are increasingly targeting insurance companies with the aim of stealing customer information to use for ransomware, insurance fraud and other criminal purposes. With the complexity of insurance companies’ IT infrastructure increasing due to the cloud, insurance companies become more lucrative targets as they open new threat vectors from the cloud.
No company is 100% homogenous in how it works with data. Teams in various parts of the same organization tend to use systems that contain and store different types of data. This data may be stored in dozens of diverse databases, each needing to be secured. When a company migrates these to the cloud, they not only have to deal with traditional data security concerns, they must also manage protecting the data in a completely new cloud environment, and in the rush to reap the great benefits of cloud migration, many overlook the new security concerns that come with it, and are wholly unprepared for the new challenges.
Lacking experience managing data in the cloud, the biggest mistake companies make is to assume that their cloud service providers are taking care of the security for them. Organizations mistakenly believe that their providers have visibility and oversight over how their sensitive data is being protected, but this is not the case.
Cloud security failures
Gartner reports that through 2022, at least 95% of cloud security failures are predicted to be the customer’s fault. With this in mind, the most important step a company can take to avoid becoming part of this statistic is to understand what its responsibilities are for the data before migrating it to the cloud.
Cloud providers are responsible for ensuring that their service continues to work as usual and that there are no vulnerabilities that threaten the overall product. But companies are responsible for the security of their individual accounts. For this reason, many companies overlook the need to set strong passwords, authenticate users, manage user privileges, and even encrypt the data, believing that somehow their cloud provider is doing all of this for them.
Once a company knows what its responsibilities are regarding security, it can take a few paths to get there. The first is to assign someone (or a team, depending on the size of the organization) on your IT security team the responsibility for ensuring your data is configured properly. This would give teams a point person responsible for security during the migration with no additional overhead for the company, ensuring your company’s security controls are extended to the cloud and that your service provider security’s system can support them.
The second option is to bring in a third party service that enables you to monitor risk and automatically fix some security issues. While this option would cost additional resources, it’s a great option if your security team lacks the bandwidth or institutional knowledge to handle a cloud environment, and is certainly better than no security.
The cloud has so many amazing uses, and industries across the board can benefit from implementing cloud solutions. But it’s also important to know the flip side of the coin. Without the proper controls in place, cloud solutions can expose sensitive data to opportunistic hackers. Costly mistakes happen when companies move too quickly and don’t address critical security issues up front, and ultimately it does not matter how much money you save migrating to the cloud if you’re compelled to pay for costly breaches later on.
Ron Bennatan ([email protected]) is general manager of Data Security at Imperva, a cybersecurity provider whose mission is to protect data and all paths to it. These opinions are his own.
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.