Cloud Data Protection - Let it Flow
- Maor Cohen
- 4 minute read
Data exists within frameworks of complex, hybrid, multi-cloud infrastructures. This has brought some valuable elements to our businesses. But it has also given us a lot more to deal with in terms of the cyberthreat landscape and protecting data in an extended and hyper-connected IT infrastructure. The vulnerabilities of cloud apps are apparent in the level of data breaches we are experiencing. In 2019, we saw, yet again, increasing numbers of exposed data records. Just within the first half of the year, over 4 billion records were exposed; an increase of 54% on the same period of the previous year.
One of those breaches, the Capital One breach, involved an ex-AWS engineer, and resulted in the exposure of around 106 million personal and financial data records. The attacker used a known vulnerability (misconfiguration) in an open-source Web Application Firewall (WAF) which was part of the AWS stack used by the bank. According to well-known security researcher Brian Krebs, the misconfiguration allowed the WAF to provide credentials to access any resource in the cloud to which that server had access. The server, in this case, was not configured to use ‘least privilege’, which resulted in, over a million customer data records being compromised.
We need to, and justifiably do, place trust in our cloud service providers to protect the infrastructure they provide; however, protecting your data in the cloud always falls to the company to which the data belongs. Data is no longer contained in our enterprise perimeter, so we need to turn to a modular approach of data protection to ensure the right protection at the right time.
Who is Responsible for the Protection of Data in the Cloud?
Passing the buck of who is responsible for data protection within a cloud infrastructure may seem simple. The Shared Responsibility Model breaks this down into two key areas:
- Security of the cloud - the security elements of the cloud infrastructure itself, e.g. storage, network service layers, etc.
- Security in the cloud - covering the data and the apps that run in the cloud
However, these two areas are not isolated, they exist in synchronization. Advanced cyber-threats are often intrinsically linked across the ‘in and of’ areas; in other words, the protection of cloud data cannot be separated out and must be viewed as a whole system, made up of interconnected modules.
A Modular Approach to Cloud Data Protection
Data is no longer a static object, rather, it flows throughout each part of a hybrid multi-cloud infrastructure. We can’t expect our infrastructure to protect data in its entirety. Instead, we need to view systems as modules, with each module configured to apply the most relevant data protection.
To see just where we are with respect to our cloud data protection maturity, we can look to some recent figures from a Gemalto study:
- Only 50% of organizations have defined roles and accountability for safeguarding confidential or sensitive information stored in the cloud.
- Only 49% of organizations are encrypting data in the cloud
The figures clearly show that around half of organizations have gaping holes in their cloud data protection strategy. Cyber criminals can and will take advantage of any gaps in security. In a cloud infrastructure, data exists across many touch points. It flows through cloud apps, into cloud and local storage, and out to the enterprise and personal endpoints.
A multi cloud infrastructure requires a multi cloud data encryption strategy. Breaking the cloud data protection problem into key modules helps to develop a better security approach:
Classification of Data
Knowing what data you have is the first step in the process towards robust cloud data protection. Cloud infrastructures mean that data can be harder to see, but knowing the type of data you have has never been more important. Data protection laws, such as the EU’s General Data Protection Regulation (GDPR) set requirements that are more stringent for more sensitive personal data. As well as being compliant with regulations, there are other, more company-specific reasons to classify data. Security is about levels of risk. Applying
the right security measure can be informed by assessing the risk, based on the type of data.
Visibility of Data
In a hybrid multi-cloud infrastructure, data travels across complex pathways; data flows across different entities, across locations, between apps and endpoints, etc. It is impossible to know which data center contains what data at any given point in time. This has serious implications for data residency, i.e. knowing exactly where data is stored. For example, many regulations and contracts have requirements that have strict clauses on data jurisdiction. Making sure that you are always in compliance with data protection laws, as well as protecting sensitive and customer data, is something that requires attention to the potential locations data would be migrated to, stored in and processed at.
Access to Data and Apps
In the Capital One breach, one of the key reasons data was exposed was the lack of control over who accessed what data. Access privileges on data, including who, where (geo-location) and what (device) is a top priority when looking at cloud data protection. Security policies should cover data-level access, along with strong identity access management (IAM) and device level management. Additionally, a Zero-Trust model of access management should be explored.
Encryption of Data
Data flows across states - at rest, in transit, and in use; this means that the relevant type of encryption must be used to reflect the state and location of this data. Knowing what type of data you have to protect, as well as understanding the kind of processes needed to be performed on this data, will inform your choice of encryption and access control requirements. For example, if you need to perform computations on this data, you will need encryption that can handle data in use.
Preventing the next security breach
Cloud data protection is a process that requires a modular approach to succeed. The complex nature of hybrid, multi-cloud infrastructures, has forced us to look at the whole lifecycle and state of data. The most appropriate encryption and access control measures, at rest, in transit, and in use, is needed to cover that lifecycle. But to understand what to protect you need to have visibility of these data and know what type of data you are dealing with. This whole system view of cloud data protection is the only way to ensure that company sensitive and customer data has not only the most appropriate but the most robust protection possible. Cloud data protection is everyone’s responsibility and with cloud computing, we must ensure that the entire data lifecycle is under control.