Light Dark
April 14, 2016 By Johan Arts 3 min read
Cloud Security
Data Protection

As a kid, I remember being proud of the stamps in my passport so I could show my grandparents which countries I had visited. Nowadays, there are only a few countries that even issue stamps for a passport. Going from country to country has been made easy.

When you (as an organization or an individual) put data into the cloud, you know that you are handing it over to a provider who may have data centers in many places, countries or even continents. These days, most people understand that storing data in the cloud means that your data needs to be physically stored on a device somewhere, though it is accessible anywhere. What most people don’t realize is where their data is going, where it travels through and where it is heading next.

Data Travels in the Cloud

As your cloud data traverses the world, it would be nice if you knew where it went. Governments are increasingly demanding that organizations can verify where the data they upload to the cloud goes. They are holding the uploaders accountable — in some cases even penalizing them if data passes certain borders unexpectedly or without permission.

For a regular customer using a cloud-based application, it is not easy to understand where the data you are accessing is really stored. The application or platform provider may be based in London, but the servers might be in Amsterdam, the U.S. or the Far East. Your data may reside in a data center in the U.K. today but be moved to Bangalore as part of an optimization process tomorrow.

And what about those cloud and mobile applications that you never authorized? Thanks to transformations in cloud and mobile, employees can sign up for new digital services with only a few clicks. Some of these tools and cloud-based technologies give employees immediate access to the productivity and collaboration they need to do their jobs much more efficiently than established or authorized apps allow. It’s the way people now want to work.

Whether it’s allowed by employers or not, they’re still going to use outside tools and upload company data to them. In a recent study, it was discovered that 1 in 3 employees at Fortune 1000 companies share and upload corporate data on third-party cloud apps.

Approaches to Data Protection

Organizations realize they need to deal with this challenge, and we see two possible starting points.

1. Legal/Procedural Approach

During the formal acquisition process for a new cloud, mobile or software-as-a-service (SaaS) provider, organizations may have to go through a step in which they involve the legal department to ask a series of questions related to business risk, data privacy and compliance. The legal team may have a checklist and can ask the cloud vendor to document the flow of the data. They may even require specific legal contracts such as EU model clauses to be put in place to govern data privacy requirements as per individual country laws.

This approach works well in situations where authorization of the use of cloud apps and services is formally requested. However, the reality is that many cloud and SaaS applications are activated by employees without prior authorization from the employer. Furthermore, the setup of the cloud provider may change. How do you ensure your organization is on top of this so-called shadow IT, and how do you deal with changes over time?

2. Network/Security Approach

Your organization may have already deployed technologies capable of analyzing network traffic such as Web application firewalls (WAF), intrusion detection solutions (IDS) or intrusion prevention systems (IPS). If these technologies cover the entire enterprise network, they can provide a good starting point for analyzing the extent of unauthorized use. If such technologies only cover part of the network, ask if there is appetite to make further capital investments in network hardware or if it is more efficient to consider SaaS to support the automated detection phase.

Organizations should integrate their legal/procedural approach with their network/security approach to gain the appropriate insight into the risk and mitigation associated with cloud security.

Ask the Right Questions

Related to cloud security governance, organizations should ask themselves the following questions:

  • What SaaS, cloud and mobile applications do your employees use?
  • Can you leverage existing technology for inspecting network traffic? Is there an opportunity to introduce automated discovery technology that can help discover authorized and unauthorized SaaS use and country-level data flows?
  • Have you made an inventory of the specific risks associated with cloud, SaaS and mobile for your organization? Did you design specific business controls to mitigate the risks related to cloud security?
  • Do you require the business owners of SaaS, cloud and mobile applications to comply with a cloud security governance process that checks against a series of business controls?

It all comes down to your appetite for taking risks. Organizations should design their cloud security governance process based on their own profile and policy, the requirements of the industry and geography they operate in and their own specific preferences.

 |  |  |  | 
Johan Arts
Vice President of Security Sales for Europe, IBM

More from Cloud Security
January 22, 2025

2024 Cloud Threat Landscape Report: How does cloud security fail?

4 min read - Organizations often set up security rules to help reduce cybersecurity vulnerabilities and risks. The 2024 Cost of a Data Breach Report discovered that 40% of all data breaches involved data distributed across multiple environments, meaning that these best-laid plans often fail in the cloud environment.Not surprisingly, many organizations find keeping a robust security posture in the cloud to be exceptionally challenging, especially with the need to enforce security policies consistently across dynamic and expansive cloud infrastructures. The recently released X-Force…

January 8, 2025

Cloud threat report: Why have SaaS platforms on dark web marketplaces decreased?

3 min read - IBM’s X-Force team recently released the latest edition of the Cloud Threat Landscape Report for 2024, providing a comprehensive outlook on the rise of cloud infrastructure adoption and its associated risks.One of the key takeaways of this year’s report was focused on the gradual decrease in Software-as-a-Service (SaaS) platforms being mentioned across dark web marketplaces. While this trend potentially points to more cloud platforms increasing their defensive posture and limiting the number of exploits or compromised credentials that are surfacing,…

December 18, 2024

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature