There can be no doubting that the cloud is no longer the future but rather the present for an ever-increasing number of organizations. Driven by factors such as digital transformation, operational efficiency, agility and cost savings, the cloud has proved to be something of a business no-brainer. Unfortunately, when it comes to data security in the cloud all too often a no-brain, or at the very least too little thought, approach also appears to have been adopted. Yet as increasing volumes of high-value data continue to hit the cloud, it really doesn't have to be this way. Protecting data in the cloud isn't rocket science and just getting a few basics of security hygiene right is all it takes to dispel the myth that data security and the cloud are somehow conflicting concepts once and for all.
What is meant by data security? That's not such a silly question as you might think, nor is the answer as obvious as you'd first imagine. Indeed, defining data security is core to your ability to keeping any data in the cloud safe. All too often there is a tendency to over-think the process of data security in the cloud when actually it's a pretty straightforward concept. You will have no doubt already got your off-cloud, on-premise, data security strategy sorted and all you need to do is apply the same thinking to the off-premise, in-cloud data. Which means protecting the data from unauthorized access, from unauthorized modification and from threats as diverse as malicious denial of service attacks (unavailability of data has to be a security issue) to accidental acts by members of staff.
The classification conundrum
The starting point to every data security strategy has to be classification; for the simple reason that you cannot protect something that you don't know exists, nor can you properly secure that which you do know about if you don't understand its value both to your business and to the myriad threat actors who lust after it. Think about it, not all data has the same value to either party. Some data is more sensitive to the business, and its clients, than others. Some data isn't sensitive nor confidential but is still valued by certain threat actors. But what is really meant by data classification (and discovery for that matter, which for the purposes of this article I'm combining into one entity) from the security perspective? You can break this down into five main questions to ask of your data inventory:
- what do you have?
- where is located?
- who can access it?
- where it can be accessed from?
- what can be done to it once accessed?
Don't underestimate the importance of any of these questions, all of which need to be properly (and continuously) addressed in order for your cloud data security posture to be a strong and effective one.
With multiple cloud applications across multiple departments, it's generally not feasible for an in-house security team to have proper visibility over the data produced. This is especially problematical when individual departments have relative freedom in deploying different cloud solutions. The right tools for the job are essential to not only identifying what data you have and where it is located, but also in identifying the risk of non-authorized access to that data across your network, application and cloud infrastructure.
Who, what and where data security in the cloud?
With the what and where taken care of, you then need to focus attention on the who: which is where identity and access management enter the equation. Authentication and authorization are just as important a part of the cloud data security landscape as they are on-premise. As well as extending user directories to the cloud, with Azure AD or AWS AD by way of example, the golden rule of 'least privilege' also has to be applied to data in the cloud. Restricting access to data in the cloud is a vital cog in the overall data security machine, but so is preserving data confidentiality. Encryption is your friend here, just make sure you pay close attention to key management via cloud key stores.
Don't forget that storing data in the cloud doesn't mean that your data isn't in a physical store, or stores, somewhere. Knowing where is actually more important to data security than it's given credit for because of two words: data, sovereignty. The reason for this harks back to the 'who can access it' question posed earlier. If data is physically located in a different country, or region, than the owner of that data then different laws might come into effect that unpick your good work in controlling access to it. It is vital, therefore, that you know where your data is physically stored in the cloud, and even where your cloud provider is physically headquartered, as both can open the door for law enforcement to access your data and so violate any data residency regulations that might apply in your industry sector. Understanding your Health Information Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standards (PCI DSS) and General Data Protection Regulation (GDPR) liabilities are no less essential a part of the cloud data protection puzzle than any other...
About the author:
Davey Winder is a veteran security journalist with three decades under his belt. The only three-time winner of the BT Security Journalist of the Year award, he was presented with the Enigma Award for a 'lifetime contribution to IT security journalism' in 2011. Currently contributing to Digital Health, Forbes, Infosecurity, PC Pro, SC Magazine and The Times (via Raconteur Special Reports) you can catch up with all his latest writings at www.happygeek.com