insider threat data masking
X
Tip

Key factors to achieve data security in cloud computing

Enterprises face a variety of data security concerns when deploying assets to the cloud. But there are some guidelines you can follow to make sure your assets are protected.

Just about every company uses some sort of cloud computing today, and it's easy to understand why. The cloud increases scalability, flexibility and collaboration -- often while cutting costs and improving efficiency.

The cloud is not without its challenges, however -- especially when it comes to data security.

Why is cloud data security important?

Data security in cloud computing is critical, regardless of whether it is in public clouds or private clouds. Compliance and privacy violations, cloud service provider (CSP) breaches or exposure and accidental misconfigurations of cloud services and data storage objects that could lead to data breaches and illicit data access are just a few of the many data security issues enterprises confront when they deploy applications and sensitive information into the cloud. Other threats that also affect on-premises environments, such as insider threats, also affect cloud computing security.

In order for organizations to reap the benefits of the cloud, they must be aware of the top cloud data security threats and challenges and how to mitigate them, as well as general and SaaS-, PaaS- and IaaS-specific cloud security considerations.

Top cloud data security threats and challenges

In its updated "Top Threats to Cloud Computing" research, the Cloud Security Alliance cited 11 key cloud security risks, among them the following three pertaining specifically to data:

  1. insufficient credential and key management
  2. accidental cloud data disclosure/exposure
  3. cloud storage data exfiltration

Data storage is a particularly thorny issue. Cloud providers employ a variety of data storage options depending on the types of cloud services in use. SaaS providers usually have large-scale storage with database implementations -- in many cases, with little or no control over data protection afforded to customers -- whereas PaaS and IaaS providers often offer individual virtual disk volumes, along with a variety of cloud-native blob, database and large-scale storage resources.

Additionally, enterprises have to choose among an assortment of controls, most of which are specific to the cloud service types and CSPs they use. Any cloud data security strategy must include the following:

  • evaluation of encryption types and availability;
  • encryption key management services and options available within the cloud;
  • data lifecycle and archival options;
  • backup capabilities;
  • data loss prevention (DLP); and
  • data storage monitoring.

Key components to ensure data security in the cloud

When devising a strategy for data security in cloud computing, keep the following general cloud security considerations in mind, as well as some specific SaaS, PaaS and IaaS considerations.

Multifactor authentication for every cloud

For all cloud environments, require multifactor authentication (MFA) for any privileged users accessing cloud services or performing administrative activities, at minimum. Ideally, require MFA for any end user accessing the cloud. Keep permissions and security controls up to date, and ensure security measures are documented in a cloud security policy.

Ideally, all SaaS cloud access should be brokered through a cloud access security broker, if possible, to enable DLP, content filtering, malware protection and other controls.

Cloud security posture management (CSPM) and SaaS security posture management (SSPM) tools can help enterprises keep a close eye on data storage configurations and whether data is being exposed.

SaaS data security

For SaaS specifically, prepare to be underwhelmed with the number of sound data security options available to configure and manage.

In SaaS environments, most data security is managed by the CSP itself, and it's important to carefully review any controls reports and shared responsibility attestations. Logging in SaaS environments is notoriously challenging -- or even nonexistent. In some cases, CSPM and SSPM software may help.

PaaS- and IaaS-specific data security

For PaaS and IaaS providers, some considerations for data security in cloud computing include the following:

  • Encryption. Look for cloud storage services that offer the ability to generate 256-bit AES keys or better, or import them for bring your own key. Any encryption key management should be focused on strong encryption standards, such as AES, as well as strong cipher suites. Many leading PaaS and IaaS offerings now include automatic encryption of all storage, which is fantastic.
  • Key management. Check for services that offer support for key management standards, such as OASIS Key Management Interoperability Protocol. This is helpful if your goal is create a hybrid key management strategy between on-premises infrastructure -- usually with hardware security modules -- and cloud key storage and management.
  • Identity and Access Management. Ensure any cloud storage environment supports strong identity and privilege policy controls, as well as data lifecycle controls. Ideally, granular privileges and integrated access controls, including MFA, are supported, along with selective controls related to data tagging, tracking and archiving.
  • Logging. Enable detailed and extensive logging for all storage environments or types using native cloud logging, such as AWS CloudTrail, Azure Monitor or Google Cloud Logging. These logs should be sent to a central storage location for processing or analysis, and security operations teams should build playbooks and workflows that prioritize data access and storage events.

Some final advice

Regardless of the deployment, carefully consider the types of cloud storage in use. SaaS options are limited, but PaaS and IaaS clouds offer a variety of cloud storage services, each with different security and protection capabilities.

Determine data store exposure on a case-by-case basis. Remember that cloud application components and services are interconnected. Exposed APIs or vulnerable web services could give malicious actors unauthorized access to cloud storage, as well as other data.

Dig Deeper on Cloud security