Are You Using “Test” Data in the Cloud?

CloudSecurityKeyhole_468Yes, you read that correctly. The word test is in quotation marks, as in “is it really test data that you have in the vendor’s cloud?”. Astonishingly enough, at least 85% of financial institutions are using live data in their test environments [1]. Could this be you and are you protecting your organization against a data breach effectively?

When a cloud technology vendor makes an offhand remark like, “yeah, we can create a test environment for you and load your test data into the cloud while we work through a Non-Disclosure or Proof of Concept agreement with your legal team”, be afraid. Be very afraid.

Now, I’m not knocking the technology vendors. In fact, to them this is a natural part of the engagement. What you have to be aware of is whether your company’s test data is truly “test data” or not. For example, if you’re in the financial or healthcare sectors where a data breach could expose Personal Health Information (PHI) or Personally Identifiable Information (PII), you should understand your test data thoroughly.

Once you understand your test data, think about putting together a more robust agreement with the vendor besides a Non-Disclosure or Proof of Concept agreement. Non-Disclosure and Proof of Concept agreements typically do not contain the language to protect your company against a data breach. A Master Services Agreement or Subscription Services Agreement should be reviewed by your legal or contracts team to determine if your company will be protected while using the vendor’s cloud if there is a breach with regard to the test data.

Karen Hsu of Informatica explains that “because data stored in a cloud-based ‘sandbox’ environment for testing purposes is vulnerable, it should be masked to protect sensitive information” [2]. She recommends using an automated masking tool to assist with the protection of your data. Regardless of what tools you use, your “test” data should be understood before loading any of it into a vendor’s cloud environment.

References:

[1] Dark Reading News. (2010, March). Live Data In Test Environments Is Alive And Well — And Dangerous. Retrieved from http://www.darkreading.com/risk/live-data-in-test-environments-is-alive-and-well—-and-dangerous/d/d-id/1133220?

[2] Hsu, Karen. (2013, March). Masking Test Data in the Cloud. Retrieved from http://www.bankinfosecurity.com/interviews/masking-test-data-in-cloud-i-1822

Preventing a Cloud Data Breach

Breach-WordsMany of you reading this have not (thankfully) experienced a cloud data breach with your technology vendors. However, a cloud data breach is always on the forefront as more businesses embrace cloud technology.

What are the chances that your organization could have a cloud data breach? According to research performed by the Ponemon Institute most companies will have small data breaches rather than large data breaches [1]. Does this mean you can breathe easy? Not so fast. For those of you in the retail and public sectors, your likelihood of experiencing a data breach is higher than those of you in the transportation, communications or even financial sectors [1]. However, each sector is impacted and the average cost of managing a data breach per organization is approximately $5.9 million with the average cost spent per breached record at $201 [1]. 41% of the respondents surveyed in the Ponemon Institute’s research said that malicious or criminal attacks were responsible for their data breach and 31% said that employee negligence was the root cause [1].

With those facts in mind, how do you prevent a cloud data breach?  The Ponemon Institute’s research states that “the most profitable investments companies can make seem to be an incident response plan, a strong security posture, the involvement of business continuity management and the appointment of a CISO with enterprise-wide responsibility” [1]. In addition to this, asking potential (and current) vendors about their cloud technology is also key. This is a nice article written by Julie Lopez that focuses on the right questions businesses should ask their technology vendors.  Her article mainly focuses on health care, but makes a lot of great points that everyone should read regarding vendor management. Speed to market is critical these days and cloud technology gives organizations this benefit. However, this speed to market mentality must be tempered with a sound risk mitigation strategy in order to reduce the chances of a costly data breach.

References

[1] Ponemon Institute. (2014, May). 2014 Cost of Data Breach Study: United States. Retrieved from http://essextec.com/sites/default/files/2014%20Cost%20of%20Data%20Breach%20Study.PDF