Understand that you are most vulnerable to a "man in the middle" attack vector, said Kyle Kennedy, CTO of STEALTHbits Technologies.
"The sad part is that when this happens everyone will blame the service provider even though it's typically the fault of a careless employee at a an organization consuming the service who either decided to use his infected home machine to interact with the company's data, or the individual that foolishly clicked a hyperlink that results in malware being installed on his business machine.
Don't stop reminding employees and partners of the risks
The best way to counter the risk of these attacks is an extensive and ongoing social engineering education campaign with employees and partners. "Make sure everyone knows that an authorized tech will never ask for things such as passwords," according to Andy Pace, Chief Operating Officer of SingleHop. "Also employees should know not to access your CRM through emails from unidentified senders."
Know that protecting the data is more efficient than protecting the boundary/container
Given the propagation of data in business workflows, protecting the data itself over its lifecycle protects it from advanced threats, says Trish Reilly, who handles cloud product marketing for Voltage Security.
"Containers only protect data at rest -- which only shields the data from a very narrow set of threats. In today's cloud, advanced threats attack data in use, in motion, and at rest -- which points to using a continuous data-centric approach to mitigate them."
Encrypting the data at the container has value if used as a means to protect it in the event of media removal, theft, recycling, she continued. "If the concern is to protecting data and its movement (or unknown movement) then encrypting higher up -- at the application layer through a data-centric approach -- is safer," she said.
Choose encryption wisely
With the rush to protect data in the cloud, many solutions have emerged that make serious trade-offs with security, such as enabling searching and sorting by weakly encrypted data, Reilly also noted.
Enterprises need to choose vendors that have validated, secure methods with independent validation, she said.
Have clear auditing and visibility in place
Administrations need to have a clear understanding of who performed which action, when, from where, using what device, says Boris Gorin, head of Security Engineering for FireLayers.
"This is critical to detect any abnormal behavior, like, say, an "administrator" logging in from China in the middle of the night, as well as conduct forensic investigation in case any potential or actual breach is suspected."
Think "need to access"
Make sure each user only has access to the information they need. This will limit exposure of customer information.
Sign up for Computerworld eNewsletters.