< Back
fonddecybersecurite

Tags:

Ercom
16 April 2024

How do you secure communications when using Cloud solutions?

Most professional communications (messaging, calls, videoconferencing, file storage and sharing, etc.) now use Cloud solutions. These provide communication and data exchange capabilities from any location and any device, with greater flexibility for storage and computing resources. This massive use of the Cloud also has its downsides, namely in terms of security, since it exposes organizations to risks of data breaches.

Securing communications and data exchanged via the Cloud has become one of the main cyber security concerns for organizations. What are the main Cloud security risks, and what solutions can help you secure your data and communications in the Cloud?

What are the major security risks associated with the Cloud?

Failure to ensure data confidentiality

Privacy and the risk of data breaches are some of the main risks associated with the Cloud. According to the latest "Cloud Security" report published by Thalès in 2022, data breaches are on the rise. 

In Europe, personal data management is governed by the General Data Protection Regulation (GDPR). Extraterritorial legislation such as the "Cloud Act" in the USA presents risks of data breaches, particularly of sensitive data. 

In addition to the risks associated with data confidentiality, the use of foreign Cloud solutions is also problematic from the perspective of digital sovereignty, and therefore the right to host certain data in environments that do not provide sufficient legal guarantees or in unauthorized territories.

The risk of Cloud-based attacks on corporate information systems

While the ability to connect to Cloud services from any device offers great convenience to users, it is very difficult for IT to manage. The Cloud increases the potential attack surface, as it multiplies possible entry points for cyber criminals. 

The introduction of BYOD (Bring Your Own Device) policies and the development of Shadow IT are also complicating the task for IT. Finally, the use of third-party applications and outside facing APIs also increases the security risks associated with the Cloud. All these entry points further expose information systems and offer new intrusion opportunities for cyber criminals.

 

Data availability

 

If Cloud-based software solutions are attacked, the data they manage can be stolen or made unavailable. This also raises the issue about backing up essential business data.

Large-scale software solutions hosted in the Cloud, or widely used backup and data transfer solutions, are attractive to cyber criminals. By attacking a smartphone, computer or Cloud-connected solution, a hacker can get into core systems and steal data stored in the Cloud.

 

Wrong configurations and unauthorized access

The risks described above are compounded by issues of configuration and access.

Most default configurations offered on the Cloud do not reflect the security requirements specific to each organization. Default access management is highly problematic for data security, especially for sensitive data. Default configurations expose data to improper handling, deletion or public dissemination. 

Too much confidential data stored in the Cloud remains accessible without authorization. According to the French Data Protection Authority (CNIL), these configuration issues in the Cloud are causing numerous data breaches.

Using a Cloud often implies dependence on a third-party service provider. It is important to choose your Cloud service provider carefully and understand its service policies, service level agreements and security measures. Finally, storing data in the Cloud can also lead to regulatory compliance issues, particularly when it comes to sensitive data and confidentiality rules. It is essential to check that your Cloud service provider meets the regulatory compliance standards for your industry. 

Which solution should you choose to secure Cloud communications?

Securing data in the right Cloud

Today, there are different types of Cloud environments (public, private, hybrid) and different types of Cloud services (Infrastructure-as-a-Service, Platform-as-a-Service, Software-as-a-Service). Each of these models meets the specific needs of organizations, but another factor comes into play: the country and nationality of the provider in which the data is stored, and therefore which government might ask to access or block data.

Considering data from certain industries or activities must be subject to enhanced protection, this is why there are different security levels for Clouds (restricted, sovereign or classified), used according to the degree of "sensitivity" of the data to be hosted.

End-to-end data encryption and careful key management

Even if various storage services encrypt data at rest, this practice is not sufficient to protect organizations against the interception, theft or alteration of their data by malicious entities. Many Cloud providers don't encrypt their customers' data by default.

For customers, ensuring the security of their data means implementing end-to-end data encryption. Even if stolen, data remains unreadable without the encryption key. Only end-to-end encryption can prevent data breaches. In this case, the software solution must not include a copy of the key in the Cloud to restore the password in the event it is lost... If you can easily recover your data after forgetting your password, a hacker may not find it so difficult to access your data as well...

Reinforcing access control

Finally, securing communications via the Cloud requires rigorous identity and access management (IAM):

  • Adopt Zero Trust software solutions, where an administrator is considered too inquisitive and users retain full ownership and access to their data.
  • Enable multi-factor authentication (MFA) to prevent access from unauthorized endpoints.
  • Implement access and password policies and tools.

The organization can also secure endpoints, catalog its digital assets to regain visibility, and implement a password security policy.

Cloud communications now play a strategic role with collaboration and are essential for organizations to further their development. Approaching the issue of securing Cloud communications from a purely technical angle would be far too simplistic. This question also encompasses issues of competitiveness, sovereignty and privacy.