You moved a considerable amount of data to AWS and your organization is reaping the benefits of cloud computing. So, how good is your security?
Let us not talk about the technical aspects of security in the cloud. Instead, consider the financial aspects and what happens when data is compromised. Here are a few scenarios:
first, data is retrieved, by a third-party provider, from a shared storage account and that data was not encrypted,
next, data was breached from an EC2 instance (virtual machine) that skipped a patching cycle to allow for a critical business function to be performed,
finally, data was accidentally sent to the wrong vendor and was not encrypted – the receiving party claims to have deleted the file, but you suspect otherwise.
None of this is good. Your organization has cyber insurance, right?
You are following all the procedures and protocols that your organization reported on the cyber insurance application, right?
Here is why this is important. Even on a cyber insurance short form application, specific process-related questions are or were asked of your organization. Here are a few:
A process is in place to regularly download and install patches? __ Yes __No
The Applicant (your organization) encrypts private or sensitive data while at rest in the Applicant’s database or on the Applicant’s network? __ Yes __ No
The Applicant (your organization) encrypts private or sensitive data while on employee-owned devices? __ Yes __ No
The Applicant (your organization) encrypts private or sensitive data while in the care or custody of a third-party service provider? __ Yes __ No
The insurance application is signed by an Authorized Representative of your organization. Insurance law in 18 states, the District of Columbia and Puerto Rico carry possible fines and imprisonment for falsifying information on an insurance application or claim. Your organization’s Authorized Representative is on the hook for the validity of these responses.
At best, if your organization responds incorrectly, you negate any benefits you might receive. Your organization may not be covered in the event of a data breach or ransomware attack. This is a huge wake-up call.
Rather than think about the technical aspects of security, it is time to start thinking about whether your organization is covered. Have you considered whether you are adhering to the provisions in your insurance policy?
It is not uncommon for an organization to get started in AWS and think about security later. It is not uncommon for organizations with an established AWS portfolio to assess their security posture at periodic intervals. The technical merit of your AWS security controls is a lost conversation for many; but, financial merit, or the risk of not being covered in the event of a data breach or a ransomware attack is easy for everyone to understand.
Periodic AWS Security Assessments ensure you are adhering to the provisions in your cyber insurance policy. The Convergency AWS Security Assessment helps your organization identify where your organization is aligned to your cyber coverage and helps you identify how to address any gaps.
If you are concerned about security in your AWS environment, we invite you to contact us.