lthough businesses are capitalizing on cloud-based solutions to enhance their operations, the interconnectedness of the cloud creates unique security risks. Therefore, companies must implement effective cloud security strategies to protect the sensitive and private data—especially health information, personally identifiable data, and payment card information—they have stored online.
Computer Task Group
Paul Clark, manager of systems engineering at Arctic Information Technology (Arctic IT) in Anchorage, says a lapse in security not only can cost an organization its reputation but can even put a company out of business if it is not prepared. “A ransomware attack that encrypts an entire organization with no viable backups can potentially devastate the entire organization,” Clark says. “Another thing to keep in mind is that, as more and more organizations are compromised, cyber insurance companies are scrutinizing organizational security practices and looking for ways to either partially pay or not pay at all, if it can be determined that an organization has not done everything they can to secure their data and systems.”
Solutions Architect
Computer Task Group
Arctic IT
It’s crucial for businesses to understand the kind of cloud they have and how they can use it, says Cindy Christopher, director of managed IT product and sales at Alaska Communications. “An important consideration is that some controls might not be interoperable between different types of cloud environments,” she explains. “Each public cloud provider has a set of security tools available to clients that are specific to that tool. They each have different costs associated. For example, if you export your data from one type of cloud to another, you may have to pay data transfer fees. Using multiple services often leads businesses to purchase their own tools for centralized visibility.”
Alaska Communications
Protecting data involves encryption, and data loss prevention tools can prevent unauthorized exposure. “Firewalls and access control lists should be set up according to best practices and audited regularly for effectiveness and compliance,” Clark says. “It’s also worth considering the implementation of ‘just-in-time access’ for IT staff and critical applications. JIT allows access only when necessary and for a specific duration, creating a clear audit trail of who accessed which application or data, and when.”
Christopher adds that companies should not assume everything is taken care of when it comes to cloud security. “Generally, cloud platforms provide the environment, but it’s your responsibility to ensure it’s properly managed and protected based on your business’ unique requirements,” she says.
In addition, Alessi says businesses can minimize vulnerabilities by using secure configuration practices, such as disabling unnecessary services and ports, applying security patches, and properly configuring network security groups. They should also have an incident response plan. “Compliance with industry-specific regulations and legal considerations should be ensured and ongoing security governance should be established to monitor, review, and update cloud security controls regularly,” he says.
Due diligence when selecting a cloud service provider involves thoroughly assessing the provider’s security practices, certifications, compliance with data protection regulations, and contractual commitments. “Reviewing terms and conditions, SLAs [service-level agreements], and data processing agreements helps businesses understand the legal responsibilities and obligations shared with the provider,” Alessi says.
While external expertise is valuable, businesses still retain responsibility for their own cloud security. “They should actively participate in security discussions, understand the shared responsibility model with their cloud service providers, and ensure that appropriate oversight and governance are in place,” Alessi says. Consequently, it’s up to the leadership to ensure the implementation of a comprehensive data protection plan—whether through their internal IT staff and security team or by enlisting the help of an external organization such as Arctic IT.
Arctic IT, a technology consulting firm that specializes in application modernization, is a Microsoft Gold Business Partner, so the company’s solutions center primarily around Microsoft’s M365 and Azure cloud computing platforms. Arctic IT also helps clients with data loss prevention, data classification, cloud readiness, cloud vulnerability and security assessments, and adherence to specific compliance requirements.
CTG also offers a comprehensive range of services. The company begins with a thorough assessment of the client’s cloud infrastructure to identify vulnerabilities and ensure compliance with best practices. Then it works to design a robust security architecture, incorporating multi-layered controls, encryption mechanisms, and secure network configurations.
Director of Managed IT Product and Sales
Alaska Communications
The security experts at Alaska Communications help businesses with a full range of cloud services and security management solutions. It’s an authorized reseller of industry-leading cloud services, including Microsoft Azure. “Alaska Communications offers Security as a Service, giving our customers access to advanced technologies that are fully customized to meet their needs and simplify important processes that might otherwise be difficult to manage,” Christopher says.
In addition, Alaska Communications conducts third-party provider assessments to help businesses ensure their cloud solution is providing the security they promised. “Our experts can help you manage and secure your business applications and services with your regulatory and data sovereignty needs in mind,” Christopher says.
Christopher also advises, “When working with a provider, it’s important to use a matrix like the Cloud Controls Matrix and CAIQ questionnaire from the Cloud Security Alliance to understand your responsibility, the cloud service provider’s responsibility, and what’s shared.”
Alessi says businesses should have a clear understanding of their legal obligations regarding cloud security. They should also clarify data ownership and control in their contractual agreements, ensuring they know who owns the data and the extent of their control over it. International considerations come into play if data transfers occur across borders.
Typically, the business and its cloud service provider share the responsibility for security. “The business, as the data owner and user of the cloud services, bears the primary responsibility for securing their applications, data, user access, and compliance with applicable regulations,” Alessi says. “On the other hand, the cloud service provider is responsible for the security of the underlying cloud infrastructure, physical security of data centers, network architecture, and host security.”
Ultimately, the business cannot delegate all security responsibilities to the cloud service providers. “Both entities have a shared interest in ensuring the security of the cloud environment, and collaboration is key to effectively address cloud security challenges and maintain a robust security posture,” Alessi says.
Law firms like Dorsey & Whitney are well equipped to help businesses understand their cloud security liability. The multinational firm serves clients in locations across the United States, including Anchorage, as well as in Canada, Europe, and Asia.
“Clearly the service provider has an obligation to provide reasonable security,” says Dorsey partner Robert Cattanach. “This sounds like a vague term, but it involves a degree of specificity. The cloud provider should specify their security in their contract.”
Dorsey & Whitney LLP
Businesses need to read their service-level agreement, whether it’s with a managed service provider, Amazon Web Services (AWS), or a cloud provider. “Part of the key in ensuring their security is understanding how everything works,” says Cattanach, who is based in Minnesota and represents clients in the areas of cybersecurity, data breach response, and privacy compliance. “What happens when I first get data, and what are my reasonable expectations when I transfer that data to the cloud… There are practical implications.”
The service-level agreement will clearly spell out their provider’s obligations relating to cloud security. And being familiar with the agreement can help the business be better prepared to mitigate potential cloud security issues. “That awareness will help a company understand where they are not protected with the service provider, so they can do the things that can limit their exposure,” Cattanach says.
Businesses in highly regulated industries often have greater concerns for cloud security and liability. However, major cloud providers design solutions to meet their unique requirements. For example, AWS has a special product for clients that must comply with the Health Insurance Portability and Accountability Act.
In most cases, cloud service providers are not the kind of third parties that cause problems for clients, Cattanach says. But if a cloud provider does have a security breach, the recourse for the customer will be spelled out in their agreement. If that cloud provider fails to do what it agreed to, it will be responsible to the customer for damages.
However, Cattanach emphasizes that human error is responsible for most data compromises. So the most important—and preemptive—strategy for managing cloud security and legal liability is for companies to have a culture of security awareness. He maintains, “If people are aware of data security, that’s the biggest battle of all.”