Warning: Businesses can get addicted to the cloud. It might start with a small experiment; just one application and no critical data. Next, scattered employees start messing around in the cloud, shadow IT-style. In the end, all your data has gone cloudy!
Even if a company only uses SaaS applications, they could conceivably achieve such significant efficiency that they will never go back. On the other side of the spectrum, once developers taste the freedom of infrastructure as code (IAC) in the cloud, they never relinquish it. Before you know it, all commercial secrets—all your customers’ data, business partners’ data, personally identifiable information (PII) and transaction records—are in the cloud, too.
Security specialists see such cloud migrations as a perfect storm. Most had to work extremely hard to control their traditional infrastructure; suddenly, they need to worry about cloud and modern application infrastructure, which brings new operational models and a new technology stack.
Cloud data protection is one of the largest and most complicated areas of cybersecurity. Why? Much of the complexity comes down to continuous data discovery, classification and isolation. Cybersecurity could mean completely different things for different organizations, depending on their industry, type of data, applicable regulations and risk tolerance.
The Ask: Protect Cloud Data
“Protect data in the cloud!” businesses ask. It seems simple enough. Obviously, companies want to avoid financial losses in the event of a data breach. But what might be more important is the need to build customer trust, protect brand reputation and secure confidential data. After all, data protection is connected to revenue.
There are many correlations between protecting company data and building a holistic information security program. Consider the traditional CIA triad of security: confidentiality, integrity and availability. We’re talking about the confidentiality of data as well as integrity and availability of data.
Cloud data security can only be discussed in the context of the overall security program. For example, data protection relies on robust identity and access management to authenticate the user and authorize access.
What Customers Mean When They Say, ‘Protect My Data!’
When customers ask for data protection, they might mean data security, or data privacy, or both. Data privacy is concerned with the proper handling of data—consent, notice, regulatory obligations, aspects of sharing PII and regulations such as GDPR and CCPA. Data security focuses on data integrity, protection from unauthorized access and confidentiality throughout its life cycle. Data privacy and data security overlap considerably, especially as it relates to data discovery, classification and security controls.
How Do You Begin?
What’s the smart approach to cloud data protection? We follow a three-step process:
- First, we assess the current state of data protection security program for the cloud and perform the data discovery phase:
- Discover data.
- If a data classification does not exist, we create one at a high level.
- Identify the customer’s threat profile, risks, tolerance and applicable regulatory requirements.
- We build a tailored roadmap that looks at the short-, mid-, and long-term. We think about what kind of protection mechanisms we can implement without putting too much friction into their regular business processes.
- Finally, we execute the roadmap, monitor and continuously improve the data security program.
How Do You Protect the Data?
What about you? How do you begin the process of protecting data in the cloud? The first step involves learning the basic building blocks of cloud data security.
If you can avoid storing data at all—and in many cases, this is possible—then you should do so. A few examples:
- Where applicable, use data anonymization and obfuscation.
- Do not store production data in lower-security environments, such as development or quality assurance.
- Avoid storing data on local machines or sending data unnecessarily to third parties. Use centralized and standardized data-sharing solutions instead; this will be easier for users and more secure.
- Don’t store credit card information, PII or financial information. You can store external references if necessary, but avoid storing this data itself.
- In the case of credit cards, use third-party payment services to avoid PCI exposure and its attendant rigors.
Also, you need to control and optimize data flow and usage:
- Standardize your SaaS applications. Companies offer multiple collaboration tools and data-sharing tools. The best-case scenario is to use one tool per need and to avoid multiple, duplicate solutions.
- Many companies implement cloud access security broker (CASB) solutions. CASB solutions help provide data protection, control access, auditing, authentication, enforcement, shadow IT and monitoring functions for all types of devices and across all clouds from a single access point.
- Oftentimes, a coarse-grained solution will work. But if you need a fine-grained data protection solution with centralized rules and identity access checks, you might need a specialized data protection solution. Normally this kind of solution is based on vaultless tokenization technology.
Encryption is very important, but enforceable only with automation in a continuous cloud security program.
Piggyback on Existing Cloud Security Programs
Fortunately, there’s help available. Although companies often focus on data as their most important asset, they need to take into account security controls from all other domains, as they directly affect data security. Cloud hygiene in configuration management is particularly important. Automated data protection controls are a subset of this.
Here are a variety of ways you can hop onto existing cloud security programs:
- Data protection is part of CIS benchmarks—for example, cover configurations for encryption at rest and in transit.
- Encrypt before you store or transfer, right where you collect.
- Remember that your key management solutions will need to be vetted. Encryption is useless if keys are hardcoded or, say, exposed in source code. Manage keys on your own; don’t delegate (for instance, use customer-managed CMKs in AWS).
- Identity and access management (IAM) will help protect your data by denying or allowing access when necessary, and controlling who can decrypt the data and access your keys in your KMS.
- Cloud configuration management is important because configuration weaknesses will increase the risk of exposing your data.
- Security monitoring and auditing play a significant role in protecting data; the same goes for backup and data retention systems.
A Safer Cloud
It’s natural for your organization and your colleagues to get hooked on the real benefits the cloud brings, and it’s natural that they’re not thinking exclusively about safety. This brief post won’t make your cloud data entirely secure—nothing can do that—but it might help create the right mindset for improving security. Data protection in the cloud is not as scary as it sounds. Establish, execute and continuously improve a cloud data protection program to reduce risks and protect your data.
Kiryl Schukin, senior solution architect at EPAM Systems, Inc., co-authored this piece.