A recent survey conducted by BetterCloud found that, on average, companies use 80 separate third-party cloud applications to collaborate, communicate, develop, manage contracts and HR functions, authorize signatures, and support business functions that process and store sensitive data. These types of applications are called SaaS (software as a service).
Organizations also decentralize applications and entire businesses on public platforms (PaaS or platform as a service) and infrastructure (IaaS or infrastructure as a service). By 2020, 76% of enterprises will run their applications on Amazon Web Server (AWS), and 63% of enterprises will run applications on Microsoft Azure.
Capital One consultant and former CISO Michael Johnson (Michael Johnson) said that these public cloud services are necessary and productive, and are even expected to provide a safer environment than traditional data centers. However, they also pose unique risks to the sensitive data being processed and stored in these clouds, most of which are caused by customer errors in the setup and management of these services.
Johnson directed Capital One in a public incident in 2019 that exposed 80 million personal records. Among them, the attackers took advantage of improperly configured third-party cloud environments. Johnson and his team contained this loophole and used a strong response plan, transparency with the board of directors and the executive team, and existing relationships with law enforcement agencies to quickly arrest data thieves before the data was exploited.
Develop a response plan to deal with the risk of placing sensitive data in the cloud, which should be part of any cloud security strategy. To begin a data protection strategy for public cloud usage, it is important to know how to expose or steal data from public third-party cloud services.