Maintain Control of Your Most Sensitive Content With a Private or On-Premises Cloud
Anyone who has ever manufactured and sold a product in a competitive market will attest to Benjamin Franklin’s truism, “the bitterness of poor quality remains long after the sweetness of low price is forgotten.” The desire to spend less and save more is essentially a survival instinct. In business, saving money could get you promoted. In cybersecurity, however, saving money could get you fired.
Third-party workflow threats have a common theme: a user is the actor, and a file is the agent. Complete protection requires a defense that spans the full breadth of the associated threat surface: the collective paths of all files entering and exiting your organization. A comprehensive defense entails securing, monitoring, and managing all third-party workflows, including secure email, SFTP, and secure file sharing, among others.
In my last blog post, I examined how unifying access to enterprise content repositories provides an internal security checkpoint allowing you to protect your organization’s most valuable information. In this post, I’ll explain why the lure of low-cost cloud storage should be resisted when storing highly sensitive information.
What is Your Sensitive Data Worth?
If you knew your sensitive data was worth a billion dollars, would you spend a billion dollars to protect it? Is it even possible to quantify the value of your sensitive data? Perhaps it’s easier to estimate the cost of a data breach. Before you answer, consider all that goes into data breach remediation. Forensics, legal counsel, public relations, and regulatory fines are only some of the related costs. There is a lot of subjectivity in estimating a cost, however, a 2019 report projects an average data breach costs a company approximately 3.9 million USD. For healthcare companies, the expense is almost double: 6.5 million USD. (By contrast, another report cites the average cost of a public sector data breach is 2.3 million USD.)
At these estimates, a data breach can be catastrophic for smaller companies. While larger organizations are better equipped to navigate a multi-million dollar data breach, the longer-term damage, including class action litigation and revenue loss from consumer backlash, may prove insurmountable.
You Get What You Pay For
A low cost public cloud storage solution may look appealing, but looks can be deceiving. To put a modern, less eloquent spin on Franklin’s axiom, “you get what you pay for.” Public cloud storage solutions are typically engineered for flexibility and functionality, rather than security or privacy. In addition, small and medium sized businesses will outsource cloud storage management and maintenance responsibilities to a managed security service provider (MSSP) or cloud access security broker (CASB). When these third-party service providers forget to enable basic security capabilities, they expose the contents to anyone with an internet connection. Unfortunately, these mis-configuration data breaches have exposed the PII and PHI of millions of people in several high profile breaches.
Hackers aren’t the only parties trying to access sensitive information stored on public cloud servers. The U.S. Federal Cloud Act of 2018 allows U.S. law enforcement agencies to subpoena technology companies for access to data stored on their servers, regardless of whether the data is stored in the U.S. or on foreign soil. In plain English, if your sensitive data is stored on a public cloud, it can be collected in bulk without your knowledge or approval.
Take Complete Control of Your Sensitive Data
Thankfully, businesses have several deployment options for securing their sensitive data and each one is significantly more secure than a public cloud option. With a private cloud, FedRAMP virtual private cloud, or on-premises deployment, businesses protect sensitive data like customer records, financial statements and intellectual property from unauthorized access. Critical security features and capabilities such as data encryption and encryption key ownership ensure only authorized users have access to your prized digital assets.
Managing your own system doesn’t have to be difficult or costly either. Most organizations have sufficient IT expertise to manage a private or on-premise cloud on their own and reach efficient economies of scale in a timely manner.
Now that you know the risks associated with storing your sensitive information in a public cloud, it’s time to explore the nuts and bolts of securing that data. Next time, I’ll discuss the importance of encrypting your sensitive content in transit and at rest.
To learn more about how to build a holistic defense of the third-party workflow threat surface, schedule a custom demo of Kiteworks today.
Frequently Asked Questions
Third-party risk management is a strategy that organizations implement to identify, assess, and mitigate risks associated with their interactions with third-party vendors, suppliers, or partners. These risks can range from data breaches and security threats to compliance issues and operational disruptions. The process typically involves conducting due diligence before engaging with a third party, continuously monitoring the third party’s activities and performance, and implementing controls to manage identified risks. The goal is to ensure that the third party’s actions or failures do not negatively impact the organization’s operations, reputation, or legal obligations.
Third-party risk management is crucial because it helps to identify, assess, and mitigate the risks associated with third-party relationships. This can include cybersecurity threats, compliance issues, operational risks, and reputational damage.
Policy controls are essential in third-party risk management as they establish clear expectations for third-party behavior, data handling, and security practices. They help mitigate the risk of security incidents by defining acceptable actions, and ensure third parties comply with relevant laws, regulations, and industry standards. Further, policy controls provide a foundation for monitoring third-party activities and enforcing compliance, allowing the organization to take appropriate action in case of policy violations. Thus, policy controls serve as a critical framework for managing third-party risks effectively.
Audit logs are integral to third-party risk management as they offer a comprehensive record of all third-party activities within your systems. They aid in identifying potential risks by highlighting unusual or suspicious activities, serve as a crucial resource during incident response and forensic investigations, and help ensure regulatory compliance by providing proof of effective security measures and third-party monitoring. In addition, they foster a culture of accountability and transparency among third parties, deterring malicious activities and encouraging adherence to security policies.
Kiteworks helps with third-party risk management by providing a secure platform for sharing and managing sensitive content. The platform is designed to control, track, and secure sensitive content that moves within, into, and out of an organization, significantly improving risk management. Kiteworks also provides two levels of email encryption, Enterprise and Email Protection Gateway (EPG), to secure sensitive email communications. This helps to protect against third-party risks associated with email communication.
Additional Resources
- Article Risk Security Management
- Blog Post Understanding Data Security And GDPR
- Article Third-Party Risk Management
- Blog Post Guide to Information Security Governance And Security
- Article Cybersecurity Risk Management