Increasingly, companies are moving their data and processing to cloud services. It’s easy for this out-of-sight data to be out of mind when it comes to security, but if anything, it should be top of mind because it’s even more exposed than is on-premises data. With regulators issuing record fines for privacy violations, developers need to make sure they secure their data in the cloud.
Fines for privacy violations will only increase in 2020. In 2019, after one year of General Data Protection Regulation (GDPR) enforcement in the European Union, there were over 59,000 personal data breach notifications across Europe, along with 91 reported fines. France’s National Data Protection Commission fined Google $57 million for improper processing of personal data for advertising purposes. With more violations occurring with respect to data stored in the cloud, data owners, developers, and CISOs need to focus on cloud data security.
“While we can never know how much reach the attackers had on the airline’s servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets,” stated a RiskQ analysis of the issue.
Such data breach fines are only increasing. The EU’s GDPR allows fines of up to 4% of revenue per violation. California Consumer Privacy Act (CCPA) fines companies that fail to protect their users’ data can be fined up to $2,500 per violation—and $7,500 per willful violation—per individual whose data was breached. And fines under the Payment Card Industry Data Security Standard (PCI DSS) will likely rise as well.
Traditionally, having data stored locally meant attackers had to compromise the corporate network before gaining access. While the past reminds us that this has occurred all too often, at least that network was under local control and monitoring. Services on demand allow attackers to access sensitive data if they can bypass cloud access security—which is typically under the control of the cloud provider, and opaque to the enterprise. – Read more