Although many insurers are well along with adopting cloud-based solutions, properly securing cloud-resident data and applications remains a big challenge in the industry. A recent survey revealed over 90 percent of cybersecurity professionals are moderately or extremely concerned about the security of public cloud platforms such as Microsoft Azure and Amazon AWS.
Fortunately, cloud security technology as well as the industry’s understanding of the multi-layered security impacts of moving data and applications to the cloud has improved. By leveraging modern technology tools and implementing certain processes and standards, insurers can take effective action against becoming the next breach headline.
Moving to the cloud: What changed and what stayed the same
Whether your firm is using a public, private or hybrid cloud, surprisingly many aspects of security remain the same. In other words, replacing on-premise physical infrastructure with a cloud-based environment still requires safeguarding servers, storage, applications and data, as well as the cloud platform itself.
Similarly, user access to data and applications has changed from a network drive within your four walls to a gated area in the cloud. This, in turn, requires new types of policies and cybersecurity solutions to keep threats from breaching the gate.
Cloud security concerns to address
Appropriately protecting your cyber assets requires a detailed approach. For insurers, the three primary concerns are:
Data. With data traveling to and from the cloud – as well as between multiple cloud-based applications –security considerations become more nuanced than when data is stored and accessed on-prem. For example, a threat can target the communications link between your firm and the cloud provider. Or, an attacker can successfully phish the employees at the provider. Either one can create a back door into your firm’s data.
Access. Beyond your employees and contractors requiring access, cloud platforms host multiple tenants. This means securing your data and applications from other tenants as well. Further, cloud providers frequently use data mining algorithms to gain insights at a macro level across multiple tenants. Even when such data mining doesn’t target your customers’ personal information, the practice opens up another window for threats to exploit.
Compliance & Risk. The cumulative effects of the foregoing data and access concerns also increase risk and compliance burdens. Due to the significantly higher concentration of data on cloud platforms, they’re an attractive target for an attacker. This elevates your firm’s risk. Additionally, insurers need to investigate how audits and compliance are handled at every layer in the technology stack to establish appropriate measures and ensure that no regulatory issues or costs arise.
5 steps to securing your cloud environment
With the primary concerns in mind, here are five steps to take that will help lock down your cloud environment:
- Step 1: Protect your data. Review the data you collect and categorize it based on the sensitivity level. Then apply encryption technologies, as this renders data unintelligible to unauthorized users. To minimize encryption solution costs, pair each data sensitivity level with the right encryption option.
- Step 2: Secure systems appropriately. With cloud-based infrastructure relying on a multi-layered technology stack, it’s important to apply safeguards on the layers you’re responsible for. It’s also necessary to ensure that your cloud platform provider is contractually obliged to do the same.
- Step 3: Limit and control access. Using many of the same tools and best practices as with on-premise infrastructure, implement comprehensive access management. This includes policy-based authentication to confine user access to the data and applications required for their jobs. Further, continue investing device-related solutions for those granted access via company-issued or personal mobile devices.
- Step 4: Modernize threat detection and mitigation. It’s well-established that enterprise threats commonly persist for months prior to detection. According to the latest IBM study, the current average for detecting and containing a single breach is 279 days. But it doesn’t need to be this way. A variety of mature tools called user behavior and analytics (UEBA) solutions enable uncovering and mitigating threats faster than humanly possible. Such AI-powered tools work in tandem with your cybersecurity team, not as a replacement.
- Step 5: Establish a rapid incident response strategy. A flat-footed response impacts immediate profitability and inflicts long-term brand damage. That’s why cybersecurity experts advocate establishing a comprehensive response to provide everyone at your firm the needed specifics for mitigating a threat and containing the competitive fallout.
Avoid going it alone
Regardless of the specific capabilities that your organization adopts, relying on leading industry knowledge and the expertise of vendor partners can help you find the right security solutions for guarding your cloud assets. Establishing control baselines, devising a strategy, deploying appropriate solutions and transferring knowledge are all tasks that experienced cyber-partners supply to help insurers protect data, customers and brands.
Learn more about how we can help you with your cloud enablement by visiting our Digital & Cloud Services practice.