DataSecOps: Protecting Data in the Cloud

DataSecOps melds an automated mechanism to manage data, along with security, in an effective operations setup

Data is the backbone of any organization. It’s what makes the company run. It is also where all the company secrets are kept.

But when data analysts began to engage with IT, there was conflict: Whose role came first?

“Because data is responsible for business profitability, data analysts had priority,” explained Ameesh Divatia, co-founder and CEO of cloud data protection company Baffle. “But IT pushed back, warning that you can’t reveal all of your data in an environment you don’t control, in the cloud.”

The pushback was to develop an automated mechanism to manage data, along with security, in a good operations setup. The result was DataSecOps, where data analytics meets DevOps.

Critical for the Shift to the Cloud

Gartner predicted public cloud adoption to increase by 17% in 2020, and the pandemic put an even greater emphasis on the importance of cloud computing.

“The expectations of the outcomes associated with cloud investments therefore are also higher. Adoption of next-generation solutions are almost always ‘cloud-enhanced’ solutions, meaning they build on the strengths of a cloud platform to deliver digital business capabilities,” said Sid Nag, research vice president at Gartner, in a formal statement.

The obstacle in this shift to the cloud, Divatia said, is security. “The data analysts want to analyze data quickly, but security said, no, not until you protect the data.” This, then, becomes the perfect use case for DataSecOps. “You have data that is generated—whether it is in the field, in a data center or even in the cloud—and it needs to be moved into the analytics domain where you have applications querying that data.”

Why DataSecOps Should Be the Next Big Thing

By 2022, Gartner anticipates 75% of all databases will be in the cloud. Traditionally, databases have been very secure because so few people have access to them and they were all on-premises. “Now you take them to cloud and you are behind a URL,” Divatia said, “and that creates a huge vulnerability.” It opens the opportunity for cloud misconfigurations, which is the cause of the vast majority of cloud-based data breaches. There is greater access to these databases and less understanding of how to operate in a cloud environment versus on-premises. This has led to 70% of companies to deal with a breach in a public cloud. Many of these breaches are because access is left open and unprotected.

DataSecOps can protect structured data by integrating security into the migration process. Rather than encrypting the data when it enters the cloud, DataSecOps ensures it is encrypted before it leaves the company’s firewall protection. That’s the Ops part. The security part is assigning a key to specific columns, allowing permitted access to the database but the overall data is never decrypted. So if there is a hack on the database, the stolen data is useless to the hacker.

Best Practices for DataSecOps

For the most effective DataSecOps process, Divatia offered his list of best practices:

• Discovery. This should always be the first step in the process, he said: knowing what sensitive data you have and how to identify it. Now that there is a compliance angle to data protection, putting a value on each piece of data is even more important.
• Create policies associated with that data. Each person generates a lot of data, but the data attributes aren’t equal. Social Security numbers require higher levels of protection than a birth date, for instance. Each data field should be assigned a policy based on the level of security needed.
• Integrate security into the migration process. Before the data moves, add de-identification so if compromised, the data is useless.
• Create overall data policies around authentication. Only authorized users should ever be allowed to access the data.
• Make sure you track access. Not only should you limit access, but you also need to monitor the access of the data to ensure to verify that no unauthorized users or outside entities are trying to get into the database.

Why deploy DataSecOps? It comes down to cloud service provider policies. “Cloud service providers will provide the physical security of the cloud,” Divatia said. But data security within the cloud is up to the client, and they need to take responsibility for protecting it. DataSecOps and its data-centric protections make sure the data remains secure in the cloud.