Cloud data security has many components, but it starts with knowing your data. Cybersecurity, IT infrastructure security, application security, network security, cloud security, Internet of Things security, data security ─and that’s just part of the list. The IT security industry has generated numerous sub-domains and focus areas. As more organizations move their data to the cloud, one that has become increasingly critical is cloud data security.
Aparavi's unique contribution to securing data in the cloud ─ enabling you to find and identify sensitive data ─ makes it an extremely valuable IT security asset.
Cloud data security refers to protecting digital information anywhere it exists ─ on premise, on endpoints, in the cloud, etc. ─from unauthorized access, corruption or theft throughout its lifecycle. Cloud data security focuses specifically on protecting digital information “in the cloud.”
Whereas the broader category of cloud security refers to the policies, technologies, applications, and controls used to protect data, applications, services, and the associated infrastructure for cloud computing, cloud data security focuses primarily on the data aspect. Although it employs many of the same tools and technologies as data security, it’s not the same.
“In the cloud” makes a difference, largely because of the division of responsibility between cloud services providers (CSPs)and customers for security. There are also threats and challenges unique to cloud environments that come into play.
For organizations with on-premise environments, their in-house IT staffs take on full responsibility for all aspects of data security. With cloud environments, the responsibility is typically shared between the cloud services provider (CSPs) and the customer.
Most CSPs follow the AWS model of shared responsibility for security. They’re responsible for the infrastructure that powers their services. In other words, they’re responsible for the security “of the cloud.” That includes the physical layer of the cloud ─ the compute, storage and network subsystems, the software (virtualization) layer, and the operation and security of the data center and network infrastructure that support their cloud services.
Customers, in turn, are responsible for security“in the cloud.” That encompasses the security of their data in the cloud, their applications, and the operating system. They’re also responsible for network controls, configurations, and identity and access management (IAM).
While splitting the responsibility for cloud security with a CSP reduces some of the burden on in-house IT staffs, it doesn’t eliminate all of it. In fact, the focus on data “in the cloud”introduces a few new challenges.
For example, not every IT professional has cloud expertise or an understanding of the unique requirements of securing data in the cloud. Hiring that expertise isn’t easy or cheap. The cybersecurity industry has seen a talent gap for years, making it difficult for organizations to recruit and retain the security professionals they need ─ particularly those with cloud expertise.
Organizations also don’t have complete visibility into or control of their cloud environments. That can make it difficult to ensure things like appropriate permissions and the principle of least privilege ─ both essential cloud data security components ─ are correctly applied.
Cloud data security isn’t something that can be put on the proverbial back burner. Cyberattacks are increasing in sophistication and frequency, putting organizations at significant risk for costly data breaches and the negative outcomes that come with them. Regulatory requirements regarding the privacy of and access to data are increasing and becoming more complex ─ and the penalties and fines more expensive.
Both drive the need for strong security for data, whether it resides on on-premise servers and in the cloud. However, the cloud erodes the traditional perimeter that drives on-premise cybersecurity strategies. That generates some unique risks. Among:
· Insider threats. The lack of visibility into the cloud ecosystem increases the risk of insider threats, whether the insiders are gaining unauthorized access to data with malicious intent or are inadvertently sharing or storing sensitive data via the cloud.
· Account hijacking or takeover. The use of use weak passwords or previously compromised passwords givens gives cybercriminals easy access to cloud accounts.
· Non-secure application programming interfaces (APIs). Many cloud services and applications rely on APIs for functionality such as authentication and access. However, these interfaces often have security weaknesses such as misconfigurations, which can open the door to cyberattacks.
Another consideration for cloud data security is the fact that much of the data in the cloud is unstructured and highly vulnerable to cyber threats. That’s largely due to the exponential growth of unstructured data, and increases in the number of users and devices generating, accessing, and using it, all of which are generating more attack surfaces and vulnerabilities. It doesn’t help that, unlike structured data, unstructured data doesn’t fit easily into pre-set data model or schema.
Unstructured data can include anything from emails and FedEx receipts to sensor data and social media feeds. It can easily─ and often does ─ contain files with personal or sensitive data, like personnel files, school records, credit card information, medical history and other files that could have personally identifiable information (PII).
Thanks to data silos, shadow IT, and other factors, many organizations don’t even know where their unstructured data resides. Nor do they know what their unstructured data contains, who has access to it and how often it’s being accessed.
What does that mean for cloud security? Even with access to a wide range of tools, technologies and tactics for securing data in the cloud, you can’t protect what you don’t know you have. That’s why the Aparavi Platform provides incredible value.
The Aparavi Platform includes features that enable MSPs, or customers themselves, to search across all systems to locate data, including unstructured data, wherever is exists. It could be on premises, at the edge and in the cloud, or across multiple departments, facilities and geographies.
The scan results provide information about the data by location, owner, events, creation data, last access data, extension type and modification date. That information enables users to take a first pass at eliminating redundant, obsolete and trivial (ROT) data ─ anywhere from 25 to 80% of it. For example, creation date, last access date and modification date can help determine obsolete data that’s no longer needed. You can also use the search feature to identify duplicate files.
In addition, the Platform allows you to define custom tags that can be applied to help identify and clean up ROT data. There’s also a data actions feature for deleting specific files (individually or in a batch), or moving them to a location where they can undergo data cleaning as needed.
With less data to review, you can more quickly search for and access sensitive data. The Aparavi Platform can help here as well with its extensive collection of classification policies that can be used to identify specific types of data that fall under the sensitive, proprietary and/or PII categories. Among them: bank account number policies, specific regulatory compliance policies, SWIFT codes policies and others.
Act Upon the Sensitive Data
Once you know what sensitive data you have and where it is, you can determine what cloud data security mechanisms are needed. For example, the data may require special handling to meet compliance requirements. Note: this is something MSPs may wish to do for their clients as a managed service.
The Aparavi Platform’s data actions feature is useful too. You can move or copy sensitive information into a storage target with limited access rights. The data can also be moved to specific location for data hygiene or special handling to meet compliance requirements.
You’ll need to identify which users should have access to any sensitive data. Strive for least-privilege access control.You’ll also need a way to track when changes are made to sensitive data and permissions. If a user copies, moves, deletes, renames or modifies a file containing sensitive data or PII, you need to know about it ─ and be able to reverse it.
Reduce Cloud Data Risks
Locating and identifying sensitive data can and should be a critical component of any cloud data security strategy. That includes defense-in-depth strategies, in which a series of defensive mechanisms are layered in order to protect valuable data and information.
To learn more about mitigating the risks associated with unstructured data – and meeting compliance and data security and privacy requirements, read the solution brief or visit our aparavi demo page for a free cloud data security demo today.