SAN JOSE, Calif. -- Cloud data breaches are inevitable, and a variety of attendees at the Cloud Security Alliance...
(CSA) Congress and International Association of Privacy Professionals' (IAPP) Privacy Academy events last week professed the importance of expecting and preparing for cloud breaches before they happen.
One of the primary points emphasized during the joint conference was the need for better data identification and classification so that enterprises can concentrate their efforts on securing the data that matters most. Tal Klein, vice president of strategy and marketing at Adallom Inc., a SaaS security company based in Palo Alto, Calif., said too many companies are moving to the cloud without doing that.
"When you're building in the cloud, you should expect a breach," Klein said. "Everything is important but the reality is, you have a finite amount of resources for security. So you have to focus on the small amount of data that really matters."
The problem, several infosec experts said, is that much of today's enterprise security technology doesn't fit with the needs of the cloud. Taher Elgamal, chief technology officer, security, at Salesforce.com, said during his keynote address that many enterprise security products are still struggling to adapt to the cloud and the implications for data ownership in off-premises environments.
"The security industry is actually lagging behind [the cloud]," Elgamal said. "We're pushing products that we built for one environment to function in a completely different environment."
James Koenigglobal leader of Booz Allen Hamilton's commercial privacy practice
Evelyn de Souza, data privacy and compliance leader at Cisco Systems Inc., agreed.
"Information security frameworks really have changed much for the cloud," she said. "Information security and cloud security are not the same thing."
To that end, de Souza, who chairs the CSA's new data governance and privacy working group, emphasized the CSA's recently introduced Cloud Data Protection Certification, which features a tiered data sensitivity model and controls to educate businesses on classifying crucial data.
"We're not saying necessarily that users should classify or identify all of the data they have, but they should at least identify the data that's most important to their business," de Souza said.
Business users are rushing to adopt cloud services, she said, but they have to change how they think about control. De Souza emphasized security technology like identity and access management but more important, she said, is the idea of making data classification a priority.
Krishna Narayanaswamy, founder and chief scientist at security vendor Netskope Inc. in Los Altos, Calif., said more businesses need to adopt security policies that take the value and associated risks of specific data into account.
"It is important that when you set policies," he said, "it's not just access control policies but also content-based policies."
In addition, Narayanaswamy, who spoke at the event about commonalities of cloud breaches, said businesses need to "fingerprint" that crucial data and employ cloud-aware DLP solutions that can monitor and track that data.
"You can then look for those fingerprints in the cloud transactions and prevent data leakages," he said. "Data leakage is a big issue, and it gets exacerbated with the adoption of the cloud."
But how do organizations first determine which of their data carries the most risk and/or importance, especially when it comes to private customer information?
Privacy professionals to the rescue
To identify that 10-20% of crucial data, many organizations are looking to privacy professionals that specialize in managing massive amounts of private data within enterprises.
One such professional is James Koenig, global leader of Booz Allen Hamilton's commercial privacy practice, who specializes in classifying data and helping companies deal with privacy breaches. Koenig said understanding data usage, whether it's for simple marketing campaigns or complex analytics, is critical to identifying and protecting the crucial data, especially in the cloud era.
"It's no longer about writing really good privacy policies," Koenig said. "You have to look at how data is protected and how it's used. And the intersection of data usage and protection is what's bringing privacy professionals and security professionals together."
Koenig, who is also co-founder of the International Association of Privacy Professionals, said the importance of data privacy has grown in recent years and requires the need for greater cooperation with information security departments.
"Privacy professionals aren't just for compliance postures," he said. "They're providing insight and advice on the usage models for data as well as the new technology that's available to protect it."
An attorney attending the conference on behalf of a large financial services company said her organization is looking at working with privacy experts and privacy professionals to identify the crucial data and ensure it is properly stored and protected. Though she wished to remain anonymous, she stressed the effort depended heavily on support from the company's leadership.
"I'm lucky because my organization gets it," she said, "but if you don't have C-level support, then nothing is going to happen."
The attorney also said she believes it's not a matter of "if" but "when" a business will experience a data or cloud breach.
"We haven't had a major breach yet," she said, "but we expect it to happen."
Koenig is hopeful that more organizations will look at employing privacy professionals and chief privacy officers to help with their overall information security efforts.
"At a minimum, I'd say today there's much better choreography between information security professionals and privacy professionals," Koenig said. "They're working closer together."
De Souza agreed, and said the synergy will be beneficial to enterprises. "I'm seeing an increase in privacy professionals working with infosec professionals, and it's being driven from the top down," she said. "I do think the way it's being presented here -- privacy and security as two sides of the same coin -- is absolutely right."
Learn how to define legal options in the event of a cloud data breach.
Read about best practices in response planning in the event of a cloud provider breach.