The Problem With Securing Cloud Data

Security was already a complex topic. Then the cloud came along. The cloud, in any of its forms, offers an attractive price and performance alternative to the traditional data center. In some cases, it may even replace IT implementations altogether. Nevertheless, the cloud will have to support the same IT processes, services and best practices galvanized by years of experience running IT organizations. This is particularly true for data security and compliance services.

While clouds present an optimistic and attractive model for IT, there is a key caveat: Clouds offer different levels of ownership and outsourcing, which greatly complicate our approaches for ensuring data security. Data is the most critical asset for a company, but now it may be sitting in cloud data environments that are out of the enterprise’s control.

Think about how worried you are when the data is in your data center, managed by people you know. With the cloud, you might not even know where the servers are, who is sharing them, who is managing them or what processes are in place to protect them. The obvious question becomes, “What considerations should I make to protect my data so my organization can move securely and confidently to the cloud?”

Read the IDC white paper: A CISO’s Guide to Enabling a Cloud Security Strategy

Before starting, consider the best approach to protecting your data in general, and then ensure that those precepts are followed in the cloud environment.

A Risk-Based Approach

First, you need to understand your data. Not all data is the same, and you must allocate appropriate resources to the most important information. In terms of security, you need to reduce the risk faced by that critical data. There are two important dimensions to this effort:

  1. Business value: How frequently is the data used to run the business and by whom (e.g., a pricing and discount table used daily by pricers)?
  2. Risk: How sensitive is the data and what exposures does it have (e.g., is it on a server with default passwords)?

The answers to these questions will help determine the relevance of the data and how you need to specifically treat it in its life cycle, especially for security and compliance.

An ideal way to do this is through automatic discovery tools that show you where your sensitive data is, who has access to it and how risky it can be. Armed with this knowledge, it becomes easier to choose how to mitigate the risk with the right tools, such as encryption, masking, archiving, deleting and even tightening access control rules.

The final step is to continue to monitor access to your sensitive data in order to maintain a tolerable risk level, especially against misuse or abuse of privileged access.

Three Environments for Cloud Data

Cloud service providers (CSPs) can offer customers different levels of control or convenience with regard to the services they provide. To apply the risk-based methodology to the cloud, you need to consider the three main environments.

Infrastructure-as-a-Service

Infrastructure-as-a-service (IaaS) is where the CSP manages the virtual and physical foundation. The end customer can control all other components up to the application layers. This may be the simpler scenario to support for data security because the same on-premises security controls — such as discovery, classification, vulnerability assessment, encryption, masking, monitoring, auditing and blocking — can be applied.

Platform-as-a-Service

Platform-as-a-service (PaaS) is where the CSP additionally manages the middleware and runtime. The end customer only has control over how to manage the data and the application. New data-as-a-service options offer customers access to shared virtual database space. The customer controls the data put in these spaces and the applications that use it but can only apply data security controls that the CSP has allowed or that exist at the application layer.

Regardless of the data security services provided, customers need to ensure that they have control. For example, they should request to hold encryption keys or monitor consoles.

Software-as-a-Service

Finally, there is software-as-a-service (SaaS), where the customer is only a user of the service and the administration of the stack is left to the CSP. The customer has no control over what is done with the data. Dropbox and Google Docs are common in the mobile consumer space, and Salesforce is a well-known enterprise example. SaaS environments are the most difficult to control for data security because the data is at the mercy of the CSP. The end customer can only control it if the data is sent to the application encrypted or masked, and you still need to be careful not to break application logic.

For cloud environments, the more control you give to a CSP, the more you will be dependent on their security processes. Service-level agreements can be set to increase confidence, but you can always lower the risk the further down you go on the stack.

Learn how to optimize your cloud security model – Read the IDC Report

More from Cloud Security

2024 Cloud Threat Landscape Report: How does cloud security fail?

4 min read - Organizations often set up security rules to help reduce cybersecurity vulnerabilities and risks. The 2024 Cost of a Data Breach Report discovered that 40% of all data breaches involved data distributed across multiple environments, meaning that these best-laid plans often fail in the cloud environment.Not surprisingly, many organizations find keeping a robust security posture in the cloud to be exceptionally challenging, especially with the need to enforce security policies consistently across dynamic and expansive cloud infrastructures. The recently released X-Force…

Cloud threat report: Why have SaaS platforms on dark web marketplaces decreased?

3 min read - IBM’s X-Force team recently released the latest edition of the Cloud Threat Landscape Report for 2024, providing a comprehensive outlook on the rise of cloud infrastructure adoption and its associated risks.One of the key takeaways of this year’s report was focused on the gradual decrease in Software-as-a-Service (SaaS) platforms being mentioned across dark web marketplaces. While this trend potentially points to more cloud platforms increasing their defensive posture and limiting the number of exploits or compromised credentials that are surfacing,…

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today