WinZip Blog

The rapid acceleration in the adoption of cloud services, which was kickstarted by the 2020 pandemic, saw 61% of organizations move their workloads to the cloud.

In 2022, it is likely that your company uses cloud services: 94% of enterprises do. Of the companies using cloud services, 79% reported data breaches.

Data protection decreases the risk of stored data, yet 83% of businesses do not encrypt what is stored on the cloud.

Before you can implement a sophisticated approach to cloud security and minimize your data’s risk factor, you need to understand the basics.

In this article, we will explore how cloud storage works across public, private, and hybrid clouds. We will also identify important cloud storage security tips as well as how solutions such as WinZip® Enterprise help protect files stored in the cloud.

What is cloud security?

Cloud security is the set of procedures and countermeasures taken to protect cloud storage from unauthorized parties. Data leaks and malicious parties seeking to steal data necessitate countermeasures to mitigate risk.

Security for cloud storage is a shared responsibility between your company and your cloud service provider (CSP).

Think of it this way: An organization that uses on-premises IT infrastructure is responsible for securing the infrastructure and its associated data and applications. However, moving to cloud computing enables the company to allocate some IT security tasks with the cloud provider.

This is known as a shared responsibility model, and both the provider and user must work together to account for various aspects of cloud security. The data you store, how it is stored, who can access it, and the management of the cloud environment are all examples of your baseline security responsibilities.

Cloud vendors are responsible for using virtualization to aid in protecting users and data. Vendors can be expected to physically protect their hardware as well.

Just how much of your cloud’s security is your responsibility depends on the cloud service model your organization decides to employ. The services provided by the CSP come in three common forms:

• Infrastructure-as-a-Service (IaaS): In the IaaS model, the CSP provides the hardware for servers, networks, and storage, which the virtual machine uses to deliver the resources to the client. Sometimes, further services such as storage resiliency and monitoring are offered.

• Platform-as-a-Service (PaaS): Using IaaS as a baseline, PaaS models go further and provide users with application development platforms hosted by the CSP. Users can expect built-in databases, operating systems (OSs), and middleware, which is the software that bridges the gaps between applications and the OS.

• Software-as-a-Service (SaaS): Building up from PaaS, SaaS platforms offer a complete application that can be accessed without downloading software. The CSP handles maintenance, updates, and software security.

Security is a joint effort between you and the CSP. Because your organization is only as secure as its weakest link, user error will often be the cause of security breaches. Therefore, it is wise to take precautions and create your own security measures.

How the types of cloud impact security

Where a cloud is hosted and to whom it is distributed is what categorizes it as either public or private cloud.

The primary types of clouds are:

• Public clouds: An off-site third party sells multi-tenant cloud services. Advantages include scalability, flexibility, and higher-quality infrastructure. Potential drawbacks include paying for resources caused by unoptimized data storage, increased IT skill requirements, and decreased security due to multiple tenancy caused by having many users on the same database separated only by virtualization.

• Private clouds: Private clouds are typically utilized through on-premises architecture to host a single tenant environment. Private clouds may be utilized when public clouds offer insufficient data governance.

• A potential vulnerability is created by hosting your data center on-site in the form of your hardware being breached, stolen, or otherwise compromised. Additionally, IT administrators must be capable of building and maintaining the cloud environment. Notable benefits of private clouds are customization of software, hardware, etc., and single tenancy: an isolated network is more secure.

• Hybrid clouds: Hybrid clouds have the benefits of both a public cloud and a private cloud in addition to enhanced flexibility. For example, as performance or computational needs fluctuate, the private cloud could be migrated to a public cloud until the need for additional resources subsides. However, because multiple clouds are in use, managing performance, security, and data can overburden IT administrators.

How secure cloud storage works

CSPs have many tools aimed at boosting security.

Standard practices include the following:

• Constant surveillance of software vulnerabilities and data centers, including physical monitoring. While physical security watches for would-be intruders, cybersecurity teams react to virtual threats and lock down breaches. Software developers regularly patch known points of failure and are on the lookout for those yet undiscovered.

• Regular backups of your data allow for restoration of deleted data, reduce the efficacy of ransomware, and are the best defense against catastrophic failure events.
  
  The 3-2-1 rule suggests that you should have three copies of data stored on two forms of media with one being off-site. Public clouds typically have integrated backup services to maintain high availability, including backups on off-site data centers. Private cloud providers will have to create dedicated infrastructure for a data center or use a third-party service to back up their data.

• Cloud services are responsible for data transmitted between their services and typically utilize end-to-end encryption to provide basic protections. Because of the shared responsibility model, however, organizations should add encryption to their security procedures to ensure data is protected in-transit, in-use, and at-rest..

• User tools boost the client’s ability to secure how the cloud is accessed. Multi-factor authentication and geo-fencing better control who has permission to use the cloud. Data filtering and user audit logs enhance IT administrators’ abilities to monitor cloud activity.

Despite security measures offered by CSPs, users must take responsibility for their own security.

It is estimated that 99% of breaches will be caused by user error. For example, the use of software, applications, and information without the approval of the IT department, also called shadow IT, led to 42% of organizations being compromised during the pandemic.

Simultaneously, 25% of security teams had decreased resources to manage these attacks. The unfortunate result is that 76% of security leaders see breaches as an inevitability.

What can you do to mitigate breaches? Here are our top five security tips to keep your data safe.

Five ways to enhance your cloud storage security

While many safety features are built into cloud storage services, organizations are responsible for security for what is under their direct control. Namely, data, applications, and access controls. Follow this advice to stay ahead of would-be hackers:

• Identify and reinforce weak spots in the cloud infrastructure. User error such as misconfigurations create unauthorized access points, and the use of a vulnerable application programming interface (API) could enable successful disk operating system (DoS) or code injection. These vulnerabilities can be identified through penetration testing which pits hacking tools and techniques against your cloud security.

• Have and enforce a cloud security policy for how to use the cloud safely. This policy will determine what can be uploaded to the cloud, who has permission to make significant decisions, and responses to various threats or data breaches. Having a standardized response enables quick reactions in time sensitive situations.

• Use multi-factor authentication (MFA) to add extra layers of safety to user accounts by increasing the required factors to gain access. Commonly used factors include unique knowledge, possession, or inherence. A password, mobile authenticator on your phone, and fingerprint scan are respectively examples of the aforementioned factors.

• Transmit only encrypted data to and from the cloud. Unencrypted data has no protection against interception, so it is good practice to encrypt data at-rest, in-use, and in-motion.

• Maintain up-to-date backups of your data using the 3-2-1 strategy to ensure recovery in the case of ransomware and equipment failure. Having backups that are not isolated from the hardware or network reduces efficacy.

How WinZip Enterprise protects your files

Enabling your teams to collaborate, protecting sensitive data, and enforcing security protocols are all part of the WinZip Enterprise solution for cloud security needs.

WinZip Enterprise integrates with cloud storage services such as Google Drive, Microsoft 365, and Amazon S3 to keep your data secure.

With file-level encryption, in-transit and at-rest files on a stolen work device are secure.

FIPS 140-2 compliant AES encryption makes WinZip Enterprise a bank and military-grade bastion of file defense. AES encryption can be used with 128-, 192-, or 256-bit keys to ensure your data protection is customized to your needs.

Automated secure file backup uses automatic endpoint backups to enable the restoration of files which might otherwise be lost. Meanwhile, data compression minimizes granular, pay-as-you-go public cloud storage costs.

Secure enterprise file transfer upholds file integrity through encryption, which prevents data loss caused by tampering from cyberattacks.

Explore how WinZip Enterprise can help companies like yours protect files stored in the cloud.

Cloud storage gives us the ability to store, transmit, and access data on remote systems by means of a network, usually via an internet connection. This virtualized storage infrastructure is managed by the cloud provider, eliminating the need for businesses to store and maintain data on local servers and drives.

While cloud service providers typically offer built-in security features such as encryption, these features alone are not enough to eliminate risk. Therefore, it is important for organizations to understand cloud storage security risks and the importance of data privacy.

In this article, we examine the top cloud storage security risks for business and how solutions such as WinZip® Enterprise can further protect your company’s data.

The Importance of Cloud Data Privacy

Regardless of their size or industry, all companies must take cloud data privacy seriously. The policies, strategies, and solutions an organization implements are fundamental to safeguarding data from loss, theft, or compromise.

Cloud storage relies on housing data in logical pools across multiple servers, all of which are connected over a network. This network (i.e., the internet) is what enables authorized users to access the files, provided they have authorization to do so.

The appeal of cloud storage is the ability to access business data anywhere, at any time. However, this ease of access can also increase security risks. For example, employee error is responsible for more than 40% of security violations in cloud storage platforms, so it is important to ensure that both your company and your cloud storage vendor have the proper measures in place.

The ultimate responsibility for securing data stored in the cloud is shared by the organization and the cloud storage vendor. In this shared responsibility model, the vendor might be responsible for protective measures such as data backup and recovery. Your company, meanwhile, would be responsible for elements such as setting security rules for network controls (e.g., a firewall) and implementing customized access controls:

• Network controls. If your company uses a firewall, for example, you are responsible for setting security rules and ensuring its proper configuration.

• Credentials. Defining who can access what cloud data and resources is your organization’s responsibility, including encryption keys, passwords, access controls, and more.

• Configurations. Configuration settings give users greater control over the cloud environment. However, 99% of cloud security failures are attributed to misconfigured settings, so environment configuration must be carefully managed to enforce proper security policies.

3 cloud storage security risks for businesses

Storing data in the cloud ensures that it is protected against physical loss or damage. For all its benefits, however, there are cloud storage security risks that could impact your organization. To create and maintain a secure environment for your data, it is important to be aware of the following three challenges.

1. Misconfigurations

Misconfigured cloud storage settings are often the result of errors, oversights, and poor configuration choices. These misconfigurations are a leading cause of data breaches, and experts estimate that through 2025, more than 75% of cloud attacks will be caused by cloud user misconfigurations.

The risk posed by user misconfigurations rests on the cloud storage user or their organization, not the service provider. Misconfiguration issues often occur when teams try to streamline internal processes. For example, if access settings are loosened enough to give anyone in the organization access to stored data, this also increases the attack surface for would-be cybercriminals. While an organization might open up permissions in order to reduce the administrative burden on the IT department, doing so puts data at an increased risk of unauthorized exposure.

2. Web Application Vulnerabilities

Companies use web apps for a number of purposes, such as conducting transactions with customers or facilitating collaboration among coworkers. However, if these applications are deployed without sufficient security protections, your confidential data may be at risk.

In the past five years, more than half of reported major security incidents were found to be connected to web application security vulnerabilities. These vulnerabilities open the doors to security risks such as denial of service attacks, malware infections, and brute force attacks. Web application security issues also take longer to detect than other events, with an average time to discovery of 254 days for web app exploitation incidents.

3. Insufficient Access Controls

Human error is a leading cause of cybersecurity issues, which is further exacerbated if you do not have proper controls in place for the cloud storage environment. This is why unauthorized access remains a key cloud threat, coming in second only to misconfigurations.

Without an access control list, organizations will struggle to protect their data and access credentials. It is also important to review access controls regularly, switching off credentials for employees who no longer need access to certain files or systems.

How WinZip Enterprise Mitigates Cloud Storage Security Risks

The cloud offers organizations plenty of advantages, but it also comes with its own security risks and concerns. Different cloud storage platforms offer varying levels of security, and it is important to determine exactly how a particular provider addresses privacy and security concerns before deciding which cloud storage vendor to work with.

For example, while most cloud storage providers leverage encryption to keep data safe, you need to assess the availability of advanced encryption protocols. Does the cloud provider use encryption only on data that is at rest, or is data also encrypted in transit between datacenters, servers, storage, and end user devices?

To protect data in all its states organizations can leverage solutions such as WinZip Enterprise. It uses powerful AES encryption that safeguards data when it is at rest, in transit, and in use. When you are ready to back up files to cloud storage, WinZip Enterprise makes it easy to compress and upload files to make the most of your storage space.

While a cloud provider’s terms of service agreement may offer insights about the general data protections offered, most lack specific details related to cloud storage security. For example, the agreement may not address what specific protections are used and how they are implemented, as well as what steps are taken following a data breach or security breakdown.

WinZip Enterprise integrates with several leading cloud storage systems, giving your organization secure data management on any cloud storage platform. It also gives IT administrators centralized control over data, including the ability to customize security, sharing, and backup policies.

Learn more about how WinZip Enterprise can protect your business from cloud storage security risks.

Cybercrime is escalating. The cost of cybercrime is estimated to reach $10.5 trillion annually by 2025, making it more profitable than the global illegal drug trade. If it were a country, that would make cybercrime the world’s third-largest economy.

In their efforts to combat the increasing attacks, cloud service providers like Box (with their Box KeySafe solution) are helping companies protect their data with enterprise key management.

Experts agree that successful enterprise key management is critical to regulatory compliance and security for companies.

Just think about all the different kinds of data and devices your business might have in numerous locations and you can begin to understand why enterprise key management is absolutely essential to data security.

In this article, we will discuss how enterprise key management works, the role it plays in ensuring that your organization’s data is both accessible and secure, and how to evaluate the data encryption needs of your company.

What is enterprise key management and how does it work?

There are vulnerabilities that come with every aspect of your organization’s approach to handling data. That’s why the National Institute of Standards and Technology (NIST) recommends that any data that requires confidentiality protection should be encrypted to mitigate unauthorized persons from accessing it.

Encryption takes data (called plaintext) that you want to protect and passes it through encryption algorithms (mathematical calculations called a cipher) that transforms it into an unreadable, secret code (called ciphertext).

A cipher includes a variable value, called a key, that allows a cipher to output unique ciphertext each time.

A key is such an important part of an encryption algorithm that the key is kept secret, not the algorithm. Robust encryption algorithms are designed so that even if someone knows the algorithm, it’s impossible to decipher the ciphertext without knowing the key.

Decryption of the encrypted data requires that key to convert the scrambled information back to its original, readable form.

Even if some unauthorized entity gains access to the encrypted data, the intruder has to guess:

• Which cipher the sender used.
• Which keys were used as variables.

The time and difficulty required to determine this information is what makes encryption so difficult to crack and such a valuable security tool.

Of course, when you consider the enormous amount of company data that needs to be protected and encrypted, shared amongst employees, and decrypted safely by supplying the proper keys to the employees with the proper permission access, you begin to realize the massive number of keys required on an ongoing basis.

Furthermore, an enterprise might use several dozen different, possibly incompatible encryption tools, resulting in thousands of encryption keys. Each key has to be securely stored, protected, and accessible.

Enterprise key management is about organizing and storing your keys in a central location and securely managing the lifecycle of your keys, from generation to destruction. The steps of that ongoing, iterative process include:

• Key generation.
• Key distribution and registration.
• Key storage and backup.
• Key deployment and usage.
• Key recovery (or re-keying).
• Key revocation and archiving.
• Key de-registration.
• Key destruction.

The importance of encryption key management for proper security is paramount. Unless the encryption keys are carefully monitored, unauthorized parties can gain access to them.

The importance of organizational data security

Cybersecurity statistics and data trends show an alarming rise in data breaches, hack attacks, and malicious campaigns.

A cyberattack is an attack on your enterprise with the goal of disrupting, disabling, destroying, maliciously controlling your computing infrastructure, or causing a data breach—the intentional theft or destruction of confidential information.

The Ponemon Institute’s 2021 Data Breach Report states that data breaches in the US cost an average of $4.24 million. But the many repercussions of a data breach can also include:

• Reputation damage. Companies can spend hundreds of thousands of dollars to rehab their brand image after a data loss.

• Productivity disruption. Lost files can cause days or weeks of employee downtime and lost sales.

• Legal issues. In some cases, data exposure can lead to regulatory fines. For example, violations of the General Data Protection Regulation (GDPR) can cost up to 4% of a company’s previous year’s revenue.

• Loss of customer loyalty. In the US, 83% of consumers claim they will stop spending with a business after a security breach.

Yet, even with all that potential for serious damage, many companies are not protecting themselves as robustly as you might think.

Protection against evolving threats

Too many companies still rely on off-the-shelf, consumer-grade solutions in the face of growing threat levels. For example, in 2021, almost every category of cyberattack increased in volume:

• There were 10.1 million encrypted threat attacks (a 167% increase).

• While malware attacks decreased at the start of 2021, they surged in the latter half of the year for a total of 5.4 billion incidents.

• There were 623.3 million ransomware attacks (a 105% increase).

• There were 97.1 million cryptojacking attacks, the most ever recorded in a single year and a 19% volume increase from the previous year.

• There were 5.3 trillion intrusion attempts made against systems (an 11% increase).

The growing threat level demands a comprehensive data protection and security strategy. This includes adhering to best practices for encryption, encryption key management, and data backups as well as using the right tools to ensure that your company’s valuable data cannot be corrupted or compromised by unauthorized individuals.

Finance, healthcare, telecom, government—no sector is immune. Too many enterprises are still relying on solutions that may not be sufficient to protect against the increasing number and heightened level of cybersecurity threats.

It has become all too common to read about serious data breaches in the news:

• Over $30 million looted. Hackers broke into blockchain wallets on crypto.com and made off with roughly $18 million in Bitcoin and $15 million in Ethereum, as well as other cryptocurrencies.

• Healthcare company’s data breached; company closes. Salusive Health (aka myNurse) says the exposed information potentially included demographic, clinical, and financial information.

• Personal information of 48 million exposed. T-Mobile confirmed that customers who had applied for credit had sensitive information stolen—including first and last names, Social Security numbers, dates of birth, driver’s license, and ID numbers.

• Government data breach of US defense and technology firms. Chinese hackers stole passwords from US firms working with the federal government in order to steal critical information about defense technology contracts.

Growing cybersecurity threats in 2022 and beyond

Hackers are increasing the frequency and magnitude of their cyberattacks, and here’s how:

• Gartner predicts that by 2025, a security breach will result in the shutdown of operations for 30% of critical infrastructure organizations.

• Global cybercrime costs to grow by 15% per year over the next five years, reaching $10.5 trillion annually by 2025.

• Ransomware will cost victims around $265 billion annually by 2031.

• Cryptocurrency crime is predicted to cost the world $30 billion in 2025.

It’s clear that every organization requires encryption for data security, improved compliance with privacy regulations, and to reduce the chances of confidential information being leaked or hacked. But is all enterprise-level encryption created equal?

How to evaluate data encryption solutions

The data encryption solution you choose for your enterprise should follow the same principles you would use for assessing almost any technology before deploying it. It needs to:

• Be able to integrate with your operating systems, services, and processes.
• Be able to scale with your organization’s infrastructure.
• Be able to comply with your industry’s standards and regulations.
• Be able to encrypt data stored on different cloud servers managed by various providers, file servers, and platforms.
• Furthermore, it’s essential to pay attention to the encryption methods you choose. The current highest standard is the AES (Advanced Encryption Standard) with a key length of 256 bits. WinZip® Enterprise offers 256-bit AES and direct integration with your accounts on Box (as well as Dropbox, Google Drive, MediaFire, OneDrive, SugarSync, CloudMe, and ZipShare).

WinZip Enterprise also combines that with industry-leading compression, sharing, and management in one powerful, customizable solution. With centralized IT control, it is easy to deploy and enforce security policies across your organization.

Learn how WinZip Enterprise provides simple and secure data encryption at the enterprise level.