The Lost Art of Visibility, in the World of Clouds
Published 11/20/2024
Written by Vito Nozza, Softchoice.
“The power of visibility can never be underestimated” Margaret Cho
As many of you have read my past blogs, I like to quote individuals who have had experience in certain subjects. Although the above quote was meant for a different context, it bears true for this conversation. The value in the adoption of cloud-based services has skyrocketed over the last 10 years. The ability for companies to utilize the cloud’s flexible, scalable, and cost-effective computing while cutting down IT costs, consolidates data centers, accelerates growth and enable digital transformation, has an attraction that supersedes the private world.
As companies battle inflation and the rising costs of real estate, are prime reasons that the cloud has accelerated in the post-pandemic hybrid world
With all the cloud’s advantages for better, more agile business so too are the downfalls present in this venture. “My data is now in the cloud, it’s not my responsibility anymore.Security measures are part of my service”. This statement is heard more often than I would like to hear, and it shows that most companies do not have proper visibility into how their data is being collected, utilized, stored or protected.
The following guidelines can help you with some recommendations that should be investigated, to facilitate a cloud journey worthy of a strong security program.
Know where your data is located.
Cloud providers tend to move data around in physical locations to facilitate storage and computing requirements.Also, the ability to backup data in different regions of the US and the world appeals to local threats that could be realized by mother nature.With a very busy hurricane season upon us, it would be wise to have a view into where your data is being housed and the ability to quickly have access, should the need arise.
A second threat that could turn into a risk, are the regulatory and legislative laws that exists on the information that is being housed.If US laws do not allow for data to travel beyond our border, or data is being housed in a region of the world that would cause concern for retrieval; this is best known during contract negotiations prior to accepting your CSP’s services.
Data Privacy and Security, can be achieved in the cloud
Security and privacy are not limited to the data located on premise. It applies to all your data in the cloud, too.
IT leaders must keep cloud data confidential and protect its integrity, ensuring no one can change it. A Data governance and compliance program can help prevent your data from being altered and to keep your data from being compromised. Data should be properly stored, monitored, and encrypted, and your cloud service provider should provide you with the keys to the kingdom so to speak for encrypting.
Cloud providers can house your data, ensure that it remains available to you, but they should not have access to it. Ensure your data is being transferred to the cloud in a secure manner, and when it gets out to the cloud, be sure you’ve locked down who can access that data. Tools have been created specifically for cloud-based transactions and data protection.Consider, application, workload and cloud posture tools, elevating your security posture and integrity.
Assess your risk
Develop a risk management program to understand critical assets and the impact of losing those assets. Determine how much data can be lost before it must be backed up. Know which assets have critical operational requirements and what the controls are required to protect them.The executive leadership and board members approve that security posture. Smart leaders will ensure their cloud partner has the same security posture as they do—if not better.
Remember, the cloud is an extension of your network, so it’s important to prioritize your data and risks. Proper identification and classification of your assets will help build a strong security and privacy program, which you can extend out to both your cloud provider and third parties.
Know your rights with your cloud data.
Not many CSPs will allow you to audit their environment, however, most often provide you with their audit reports to ensure that they're certified by providing industry specific certification for example HIPAA (healthcare) or PCI-DSS (retail). Most likely a good cloud provider will have SOC2/Type2 and/or SSAE-18 attestation audits available for you to view. Some will allow you to audit your slice of the cloud, but never the entire infrastructure. A god recommended action is to prepare and follow a data compliance program that will adhere to regulatory requirements.This can facilitate an understanding between CSP and your company.
Create a program to maintain data integrity
Data is now in the cloud, and employees, contractors, customers, partners and third-party agents have access to it.The development of a Identity access management (IAM) practice is essential. The ability to understand the attack surface and who has access to the entry points into your environment, must be understood.Your goal is to ensure the protect surface and all its assets, are not compromised.These breaches most likely will come from internal sources therefore a proper file integrity management (FIM) system is key to data integrity. Even if your employee has access to the data, what actions are being performed? Are they altering the data? copying it? downloading the information? What were the requirements for such actions? It’s key to understand that all these integrity measures, which should be present with on-prem data practices continue with more scrutiny, when data has been relinquished to the cloud.
Understand relevant privacy regulations
Privacy regulations have been popping up around the world, and they’re all slightly different. You’ll need to ensure your cloud data adheres to the rules that affect your industry and the regional locations of your stored data.
Your cloud providers may have data storage sites all over the world, and they may move your data to secure sites that are in violation of privacy laws. In Europe, for instance, the General Data Protection Regulation (GDPR) requires European customer data to follow certain protocols, ensuring the individuals data privacy. The California Consumer Privacy Act (CCPA) has similar features and allows consumers to have full access to their data and notification of how it is being used. All this can be tricky if information is scattered across various repositories, that violate regulatory requirements “You need to ensure that you’re CSP is providing you the information of where your data is being stored? Which locale, region or country is the data being housed? What are the requirements for the locations that your conduct business?
Create a cloud incident response program
When it comes to an IRP, it’s important to be on the same page as your cloud service provider. When a breach occurs, have you prepared both with internal staff and your CSP on who has responsibility for various actions.Ensure that if data needs to be recovered, that your service level agreement (SLA) states the expected time and data retrieval options.These must all match your company’s internal processes and procedures.
When practicing your IRP over a Tabletop Exercise (TTX), involve all third parties that will be part of the program.Your CSP, should be your closest ally.
In the end, migrating to the cloud can save your organization both money and time. But those benefits disappear if your data isn’t secure, private, and available when you want it to ensure operational continuance of your business.
Ultimately, Confidentiality, Integrity and Availability (CIA) of your DAAS (critical Data, Assets, Applications and Services) should be top on the list when working with a cloud provider.Developing programs such as Zero Trust and Data Loss Prevention is what the Softchoice does.Our rich history of providing clients data and application resources to elevate their business needs, has enabled us to understand data flows and attack vectors that need to be mitigated.
We work with clients (of diverse industries) in developing business continuity, disaster recovery and incident response plans for both on-prem and cloud-based ecosystems
Remember, you should not have to worry if your data is safe, having the proper guidance and programs can lead to successful business outcomes.Now you know and knowing if half the battle.
Related Articles:
How to Demystify Zero Trust for Non-Security Stakeholders
Published: 12/19/2024
Why Digital Pioneers are Adopting Zero Trust SD-WAN to Drive Modernization
Published: 12/19/2024
Managed Security Service Provider (MSSP): Everything You Need to Know
Published: 12/18/2024
Decoding the Volt Typhoon Attacks: In-Depth Analysis and Defense Strategies
Published: 12/17/2024