Cloud Data Security
When businesses first transfer workloads to the cloud, a misconception sometimes exists that responsibility for cloud data security also transfers to the Cloud Service Provider. However, whereas Cloud Service Providers do have a responsibility for the security of the cloud, security in the cloud remains the business´ responsibility – and this is often where problems start.
The reason why the division of responsibility causes problems is that the point at which the line is drawn between customer responsibility and provider responsibility varies according to the service being used. For example, when a business deploys an EC2 instance on AWS, the business is responsible for the security of the instance´s operating system. However, when the business deploys a container, responsibility for the security of the operating system remains with AWS.
As the “level of abstraction” moves, so does the amount of visibility businesses have into cloud activity. This is because cloud data centers are multi-tenanted environments (i.e. multiple businesses share the same hardware resources); and, due to privacy and security concerns, Cloud Service Providers do not allow businesses to see what is going on below the level of abstraction. Therefore, it is often difficult to monitor where data is, how it is being used, and who is accessing it.
The First Step to Cloud Data Security is Visibility
There are multiple monitoring tools capable of collecting detailed metrics below the level of abstraction, and generally they fall into two categories – agent-based and agentless. Of the two, agent-based monitoring tools are the easiest to manage, they collect granular metrics more frequently, and they require fewer open ports on the server than agentless monitoring tools. The fewer open ports there are, the better for cloud data security.
The information these tools provide reveal not only where data is, how it is being used, and who is accessing it, but also what unsanctioned services are being used by Lines of Business. “Shadow IT” is a common occurrence in many businesses; and although the motive behind it is that departments create their own mini cloud environments “to get the job done”, users in these mini cloud environments rarely have the security expertise of IT professionals.
Consequently, the use of unsanctioned services by Lines of Business can result in cloud data security issues. These can vary from misconfigured servers with unauthorized open ports to repositories of unencrypted data being left exposed to the public Internet and cloud services being used over unsecured networks. It might also be the case IAM permissions have not be configured correctly – giving hackers the opportunity to move freely throughout large parts the network.
If Shadow IT Exists, This is How to Address It
Because of the cloud security risks posed by Shadow IT, it needs to be brought under centralized control – but not necessarily the control of the IT department. Traditional IT processes are too slow for the dynamic world of cloud computing, and the likelihood is that if the IT department becomes gatekeepers of the cloud, new mini cloud environments will evolve with the same cloud data security risks as before. Instead, the answer is a Cloud Center of Excellence.
A Cloud Center of Excellence is a team with representatives from each department within the business. The purpose of the Cloud Center of Excellence is to establish which cloud services are being used, replace unsecure services with secure alternatives, and educate users on how to use the alternatives securely. The best practices developed by the team will not only enhance cloud data security, but also eliminate performance inefficiencies and help control cloud costs.
In addition, it will be the team´s responsibility to develop cloud governance policies. Cloud governance policies are effectively rules under which the business operates in the cloud, and the processes for changing the rules to accommodate revised business objectives, the release of new cloud services, and emerging threats to cloud data security. It is important cloud policies are built around existing on-premises policies to avoid there being one set of rules for on-premises and another for the cloud.
Enforcing Cloud Governance Policies with Automation
The more a business takes advantage of the benefits of cloud computing, the greater the need for cloud governance policies. The more cloud governance policies there are, the harder it becomes to monitor compliance with them. For this reason, it is recommended to implement a monitoring tool with policy-driven automation capabilities that continuously verifies compliance with the policies and takes a user-defined action when a policy is – or is about to be – violated.
An example of how automated policy enforcement works is if a user attempts to use a cloud service not sanctioned by the Cloud Center of Excellence. The monitoring tool can notify the team of the violation, or block the launch of the service, or initiate an approval workflow so permission to override the policy can be granted or denied. This process overcomes cloud data security concerns associated with self-provisioning. Other examples of how automated policy enforcement works include:
- Guardrails during the development pipeline can ensure new deployments conform to approved configurations.
- Continuous verification ensures the deployments remain within configuration parameters to prevent vulnerabilities being introduced post-deployment.
- Global tagging policies can be enforced automatically so that the launch of resources with no tags is blocked, or so that misspelled tags are corrected.
- Where data is not encrypted by default, enforcement of the tagging policy ensures that sensitive data (i.e. tagged PII) is always encrypted.
- The monitoring tool can also ensure that storage volumes containing sensitive data are not exposed to the public Internet.
- With regards to IAM permissions, group “least privilege” policies can be applied with conditional access controls.
- Policies stipulating accounts with high privilege levels have multi-factor authentication enabled can be enforced by revoking access when MFA is disabled.
- Similarly, account access at any level can be automatically revoked if suspicious activity is identified – for example logging into an account outside of normal working hours.
Cloud Data Security is a Challenge, but Not One that is Insurmountable
There is no question that cloud data security is a challenge; but, by obtaining total visibility, centralizing control of the cloud environment, and automatically enforcing cloud governance policies, business can mitigate the risks of operating in the cloud. Importantly, by implementing guardrails to prevent accidental events, businesses reduce the likelihood of being victims of malicious events.