Cloud Data Security Best Practices
Cloud data security is how an organization secures data assets and resources running on the cloud. It encompasses the policies, controls, procedures, and technologies that protect the data aspects of cloud computing from loss, leakage, or misuse through breaches, exfiltration and unauthorized access.
Cloud data security ensures the security and privacy of data not just across networks, but also within applications, containers, workloads and other cloud environments. An effective cloud data security program needs to control data access for all users, devices and software, and provide complete visibility into all data on the network.
There are three categories of data that need protection
- Data in use –Data used by an application or endpoint via user authentication and access control
- Data in motion – Data in the process of moving across the network
- Data at rest – Data that is stored on the cloud via access restrictions and user authentication
What Counts as “Sensitive Data” and Why is it at Risk?
Companies are generating, managing, and storing more data than ever before. Much of this data is innocuous, but a significant portion of it is sensitive customer, employee, or business data. Types of sensitive data include:
- Personal Identifiable Information (PII) - Any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; alongside medical, educational, financial, and employment information.
- Payment Card Industry (PCI) Data - Includes credit card information and payment details.
- Protected Health Information (PHI) - As defined by the Health Insurance Portability and Accountability Act (HIPAA), this data includes any past and future data about an identifiable individual’s health, treatment, and insurance information.
- Intellectual Property – For example, source code of customer-facing services or customer base trends.
- Developer Secrets - For software companies, this includes passwords and API keys.
The move to the cloud means that protection of these types of sensitive data has become more complex. The reasons?
- The distributed nature of cloud computing means that organizations may not understand exactly where all applications and data are stored.
- Security responsibilities in a shared environment may be misunderstood or incorrectly applied.
- Third-party hosting places serious limits on the visibility of data access and sharing.
- Multi-cloud environments and hybrid infrastructures frequently suffer from inconsistent security regimes.
- Depending on where it is physically stored, cloud data may be subject to various data protection regulations like the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), or the Health Insurance Portability and Accountability Act (HIPAA).
Third Party Risks to Cloud Data
A cloud data security regime needs to include the companies providing the cloud services, the companies using them, and any third parties providing services involving data.
Third-party risk is any risk to an organization from external parties - vendors, suppliers, partners, contractors, service providers or others - who have access to internal company or customer data.
For example, consider cloud-based payroll, customer relationship management, email marketing and other solutions – all these entrust sensitive data to third-party applications. Compromise of the data held by these third parties can directly damage an organization through loss of the data itself, loss of revenue, downtime, and more. The potential indirect damage of third party incidents can be even greater - regulatory fines, legal action, and reputational damage.
The Cloud Data Security Compliance Imperative
Worldwide, regulatory and governing bodies have introduced ever-stricter guidelines to protect sensitive data. For example:
- Payment Card Industry Data Security Standard - PCI DSS applies to organizations that process, store or transmit cardholder data, and is applicable to cloud service providers.
- General Data Protection Regulation – GDPR, a global data protection regulation developed by the EU, addresses a broad range of cloud data protection activities.
- Health Insurance Portability and Accountability Act Security Rule - The HIPAA Security Rule includes requirements for protecting the security and integrity of electronic personal health data.
The complexity and overlapping nature of regulations makes compliance challenging. It is difficult to understand which frameworks and laws apply, since this depends on many factors - how and where a business operates, the customers it serves, the number of assets under management, and more.
Noncompliance with regulations can have serious consequences. In addition to the reputational damage that a company suffers after a data breach, there can be steep regulatory fines. The Ponemon Institute estimates that the average cost of compliance is some $5.5 million per organization – whereas the cost of non-compliance is nearly $15 million – including fines, penalties, and fees, as well as the indirect costs of business disruption, revenue loss, productivity loss, and reputational damage.
The costs of noncompliance are in the headlines seemingly every day. Some major fines just in one industry include:
- JP Morgan was fined $125M in 2021 for compliance control failures owing to substandard recordkeeping and poor controls of personal device usage.
- Morgan Stanley was fined a total of $60M this year for data privacy violations that took place in 2016 and 2019, regarding decommissioned data center equipment that hadn’t been properly erased.
What’s more, IBM estimates that the cost of non-compliance is climbing year-over-year – up some 45% from 10 years ago and nearly 13% from just two years ago. These costs are rising owing to increased public and regulatory sensitivity surrounding data security in general and cloud data security specifically. And in response, companies are upping their investments in both security and compliance solutions.
Cloud Data Security Best Practices
To meet both market and regulatory expectations and ensure that your data security protections are effective, consider the following best practices:
- Reduce the Data Attack Surface
Whereas the previous definition of ‘attack surface’ was the sum of all attack vectors, your ‘data attack surface’ is the sum of all your exposed sensitive data. Reducing the data attack surface demands achieving a comprehensive picture across all your cloud assets. Cloud environments use hundreds of policies and configurations, together with thousands of active identities at any given time. Reducing the data attack surface involves reducing the quantity of sensitive data stores by removing unnecessary sensitive data via redaction, anonymization, encryption, and more.
Limiting the number of sensitive data stores helps security teams shrink the data attack surface - reducing the number of assets worth attacking. By achieving first visibility, then control, over the sensitive data in your ecosystem, you can reduce not only the data attack surface, but overall organizational risk, too.
- Discover and Classify
When employees sign up for cloud services, sensitive corporate data finds its way out of the protected realm and becomes shadow data. The same happens in a multitude of scenarios, including:
- Cloud-driven CI/CD - When self-service cloud models let developers self-provision data stores on the fly, data security policies can fall victim to expediency – leading to insecure data.<indent-rich-text><indent-rich-text>
- Microservices - As organizations embrace distributed cloud-native apps based on containers, serverless functions, and microservices, data ends up spread across hundreds of databases, shared storage, data warehouses, data pipelines and more – making it tricky to map and track data.<indent-rich-text><indent-rich-text>
<indent-rich-text>Cloud security teams can discover these unknown services by closely monitoring system usage. Consider using data tagging or other solutions to classify data, but keep in mind that while this works well for structured data like credit card numbers, sensitive data includes unstructured data as well. And unstructured data can include source code, developer secrets, intellectual property and other corporate secrets whose loss could cause as much damage as customer data in the event of a breach.<indent-rich-text>
- Monitor Data Access
It’s crucial to monitor and analyze who accesses data and how it is shared. Check the access controls and permissions on files and folders in all cloud environments and make sure you’re monitoring user roles, location, device types, and other relevant factors. Consider creating an identity-to-data map that includes nonhuman identities like service accounts, and consider implementing zero trust and/or least privilege policies, and closely examine existing privileges to identify overprivileged users.
Effective cloud data security needs to manage privileged access – while limiting data breach exposure, reducing privileged user friction, maintaining customer trust, and ensuring compliance. Thankfully, most Cloud Service Providers offer utilities for access control, including:
- AWS Identity and Access Management Access Analyzer enables secure management of identities and access to AWS services and resources. IAM works on the principle of least privilege – meaning that each user should only be able to access information and resources necessary for their role.<indent-rich-text><indent-rich-text>
- GCP Identity and Access Management (IAM) lets administrators authorize who can take action on specific resources, and provides a unified view into security policy across the entire organization, with built-in auditing to ease compliance processes. <indent-rich-text><indent-rich-text>
- Azure Role-Based Access Control manages access to Azure resources. The system enables assigning roles to users, groups, service principals, or managed identities at a particular scope. <indent-rich-text><indent-rich-text>
- Track Data Movement
The trick to tracking data movement in the cloud is to know exactly where your sensitive data is moving and who moved it. The challenge is finding the data that’s not where it’s supposed to be. Consider, for example, a virtual private cloud that’s not supposed to have sensitive data, but does. Other data tracking challenges include finding sensitive information across different security postures and finding duplicate data. Securing data in motion is a challenge for any organization. But advanced tools can discover when multiple copies of data exist, then track and monitor them across environments, while understanding which parts of data are both sensitive and unprotected.
- Double-Check Configurations
Ensure your sensitive data has the right security posture and verify proper backups. Also, make sure that sensitive data is encrypted both in transit and at rest. There are numerous out-of-the-box encryption capabilities offered by cloud service providers for this. To protect data in transit, for example, connections to cloud storage services should only be done using encrypted HTTPS/TLS connections. Also, ensure proper key management for encrypted data. Data encryption using platform-managed encryption keys is enabled by default on most cloud platforms. You can gain additional control over security by using your own keys and making sure these are centrally managed with encryption key management services in the cloud. If you want even stricter data security, implement native hardware security module (HSM)-enabled key management services or third-party services to protect data encryption keys.
- Define Policies
Every company has different data and different needs. Define policies that reduce the risk of data leaks by enforcing access control and sharing control from the moment data enters the cloud. Some different types of access control paradigms and policies include:
- Mandatory Access Control (MAC) - gives only the owner and custodian management of the access controls, so the end user has no control over any settings that provide any privileges to anyone.<indent-rich-text><indent-rich-text>
- Role-Based Access Control (RBAC) - provides access control based on the position an individual fills in an organization. So, instead of assigning Fred permissions as a security manager, the position of security manager already has permissions assigned to it. <indent-rich-text><indent-rich-text>
- Discretionary Access Control (DAC) - the least restrictive model, DAC allows an individual complete control over any objects they own along with the programs associated with those objects.<indent-rich-text><indent-rich-text>
<indent-rich-text>If you’re using a multi-cloud environment, implement your control policies for each cloud provider. It’s especially important to control which users can share or edit data, and which can only view. Also, it’s crucial to limit how users can share information externally.<indent-rich-text>
- Ensure Compliance
Understand what you need to comply with based on where you’re located, what you do and where your customers are. For example, even if you use a third-party credit card processor, you may need to be PCI compliant. Check the PCI standards that apply to you and ensure (for instance) that you're not unknowingly processing or handling PII. Similarly, under GDPR even if you’re a US company, you need to be compliant to do business in the EU. Check carefully that none of your IT infrastructure uses providers with EU-based assets, because if they do, GDPR applies.
- Enable Audit Logging
Most cloud services enable audit logging, which helps you detect unauthorized activities and ensure accountability for people accessing your sensitive data. These utilities include:
- AWS Cloudtrail - captures API calls and related events made by or on behalf of an AWS account and delivers the log files to an Amazon S3 bucket to identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.<indent-rich-text><indent-rich-text>
- Azure Audit Logging - a wide array of configurable security auditing and logging options to help identify gaps in security policies and mechanisms. <indent-rich-text><indent-rich-text>
- GCP Audit Logging - writes audit logs that record administrative activities and accesses within Google Cloud resources, helping answer "who did what, where, and when?".<indent-rich-text><indent-rich-text>
<indent-rich-text>Audit logs capture details about system configuration changes and access events, with details to identify who was responsible for the activity, when and where the activity took place, and what the outcome of the activity was. What’s more, most automated log analysis supports near real-time detection of suspicious behavior – enabling detection of potential data security incidents to be quickly escalated to the security response team.<indent-rich-text>
Introducing Data Security Posture Management
Before the era of the cloud, securing data meant securing your data center. Back then, even if your data was copied or moved, it still stayed inside your organization’s data center. There wasn’t a difference between your infrastructure security and your data security.
But in cloud-first companies, data travels constantly. It moves to different environments with different security postures. Existing Cloud Security Posture Management (CSPM) solutions were designed to secure cloud infrastructure – to find vulnerabilities in cloud resources, like VMs and VPC networks. But there was no solution that focused on securing the cloud data itself.
That’s why Sentra created Data Security Posture Management (DSPM).
DSPM is an approach to securing cloud data that ensures that sensitive data always has the correct security posture - regardless of where it’s been duplicated or moved to.