When considering migrating to the cloud, companies routinely cite security as a top concern. The wide array of on-demand security services available in the cloud and their highly scalable nature may even be the reason for moving essential applications out of the data center. Of particular concern, of course, are the security and privacy of data. In this blog post, I will outline high-level strategies for protecting and managing data in the cloud. Although some of these may seem very basic, security breaches of even the largest enterprises take advantage of gaps in these areas.
Let’s start with the well-recognized but still important “shared responsibility model” of cloud computing. In a nutshell, cloud providers are responsible for protecting and managing the cloud, but their customers are responsible for security in the cloud. Whether your deployment is IaaS, PaaS, or even SaaS (such as Microsoft 365 or Salesforce), you are responsible for your data, client devices and endpoints, and identity and access management (IAM). This model is commonly illustrated in a diagram like the one below. (Click to expand.)
- TIP: Make sure you understand your cloud provider’s shared responsibility model, and that cloud security is not just about technology – people and process are just as important.
Okay, so where do you start? People often ask: “Will our sensitive and regulated data be safe in the cloud?” Yes, it can be! You should start with a strong understanding of your data.
6 strategies for protecting and managing data in the cloud
1. Identify sensitive or regulated data – such as user credentials, keys, intellectual property, and PHI, PII, or PCI. These make up your largest risk for data and financial loss.
- TIP: Data classification and data-loss prevention (DLP) tools will help you to automatically identify your sensitive data, monitor access and automate responses. The best solutions now use AI/machine learning to identify and respond to data security threats.
2. Segregate the data tier of your application as you would in the data center. For example, create a data subnet and lock it down. If you are using PaaS-based database services, then use your provider’s service endpoints to enhance security (and improve performance).
3. Understand how the data is being accessed and focus on controlling that access tightly.
- TIP: Use IAM “roles” and not “user” accounts to control access to data using the concept of least privilege. Use your cloud provider’s policy functionality to clearly define exactly what the role can access and actions it can perform on your data.
4. Create corporate data protection policies, then manage data access to mirror those policies. Establish cloud data review and deletion policies.
5. Set limitations on how data is shared. Use role-based access control (RBAC) and policies to prevent unauthorized users from accessing and sharing data. Block data from moving out of the cloud onto unmanaged devices and secure all endpoints including laptops and mobile devices.
- TIP: Microsoft Office 365 has many controls to limit or prevent sharing, such as disallowing external sharing completely. Secure your data in Office 365 by using these settings.
- TIP: Consider adoption of a cloud access security broker (CASB) solution for data loss prevention (DLP) and controlling user data access and behavior.
6. Understand data encryption in the cloud and assume responsibility for it. To ensure that data are encrypted in-flight and at-rest, use both client-side and server-side encryption. Use your cloud platform’s tools for managing and securing all keys (KMS), credentials, secrets, etc.
The rapid growth of cloud computing has been accompanied by massive growth of big data. Advantages that come with running applications in the cloud – such as scalability, on-demand services, and availability – require us to stay keenly focused on data security and management. It can be challenging, for sure, but starting with a thorough understanding of the data you are managing and how it needs to be consumed will help you to develop a plan to secure it, monitor access, and mitigate risk.
Contact the Freeit Cloud Services team to learn more about how you can strengthen your cloud practice.