Originally published by Laminar Security here.

Written by Andy Smith, Laminar Security.

Shifting to the cloud is a necessary step in the digital transformation required for businesses to get and stay ahead. The cloud allows employees to access resources from almost anywhere at any time, enhances data accessibility, improves team collaboration, and simplifies administration. This greatly enhanced speed and flexibility gives developers and data scientists the tools they need to stay at the forefront of innovation.

However, it is not without its challenges. One of those is data security. This is why cloud data security has become an imperative for businesses that wish to continue to innovate at the speed of cloud while still protecting their most sensitive data: a failure to do so can have a devastating impact on your business's operation and reputation.

In this article, we learn more about cloud-native data security, cloud security challenges, and best practices for protecting your data in the cloud.

An Overview Of Cloud Data Security

Cloud data security is a new and rapidly evolving security discipline designed to safeguard data, wherever it resides in the cloud. The discipline is focused on protecting cloud data from breaches and compromises while also empowering organizations to leverage that data to meet business goals. To make this approach work, it’s imperative for security teams to understand where the sensitive data is and who has access to it, the overall security posture of that data, and how it is being accessed on an ongoing basis.

The discipline of cloud data security can:

• Protect data from external malicious activity intended to steal or hold data hostage, like ransomware.
• Prevent human error or neglect from enabling data breaches.
• Reduce the repercussions of any system breach or insider threat by monitoring and blocking unwanted data access.
• Reduce the attack surface by identifying and eliminating the shadow data that is unmanaged by security, unnecessary and presents a risk to the business.
• Prevent privacy and regulatory violations due to data exposure and ease compliance.

Cloud data security is a vital component of cloud security, which, together with cloud infrastructure and application security, along with identity management, forms a cohesive backbone of an organization’s overall cloud security strategy.

What are the Challenges of Securing Data in the Cloud?

Cloud computing allows for a multitude of technologies which offer a wide range of data ownership and storage capabilities. The complexity and scope of the myriad of technologies that are implemented in the cloud and the scale of speed at which things change make cloud security, and data security in the cloud, incredibly challenging and impossible to do manually. Chief among the pain points organizations experience in cloud data protection are:

1. Data proliferation

Data multiplies quickly in the cloud. Multiple departments can use public cloud platforms, and developers move and copy data into new applications and new environments at the push of a button, all without the knowledge or consent of security or IT. The pace of change is on a daily, if not hourly, basis. The net result is that there are many data assets unknown to security and no consolidated view of data across the cloud environment. It is impossible to protect what you don’t know about.

2. Data policies do not travel

The sprawl of technology in the cloud is unprecedented. Each of the major cloud providers has dozens of different ways to store and process data, each with its own configurations and controls. Manually applying policies to and protecting cloud data across this broad of a landscape is impossible, and security policies do not automatically travel with the data as it proliferates, they must be reset and re-established with each new copy. In this reality, the only way to apply policies to the data is to provide the policies to developers and data scientists and trust that they will work within those guardrails. But trusting security to others without automated verification is dangerous, especially when security is not their focus.

3. Opaque data access

Because the cloud is so complex it’s also very complex to know who has access to the data. It’s easy to know the answer to the question, “what does Fred have access to?” However, due to multiple decades worth of disparate access control technologies on each cloud service it’s very challenging to understand who all has access to a specific data element. Without this knowledge organizations can’t easily limit who has access to the most sensitive cloud data, which leaves a much bigger risk of that data being exploited than is necessary. In addition, when an organization experiences a weaponized third party or insider threat and needs to mitigate the impact, they can’t because they don’t know who has access to that data.

4. Tracking activity is cost prohibitive & noisy

To monitor your cloud environment for attacks in progress or data leaks you have to track all activity. To track all activity you have to enable logging. If you don’t know where your crown jewels are, your only option is to log everything, which is cost prohibitive, therefore most organizations end up logging nothing. For those who choose to monitor cloud data, regardless of the expense, there is a lot of noise and it is very difficult to pinpoint the source of a threat given all of the noise. As a result, the majority of data leaks go undetected for long periods of time.

The answer to all of these challenges is to focus on the data. A data-centric strategy simplifies cloud security by giving security teams the means to focus on protecting what’s most important to the organization—its most sensitive data.

What Makes A Comprehensive Cloud Data Security Strategy?

Many organizations focus on protecting their cloud infrastructure first. This is an important component of a comprehensive cloud security solution set, but given that an organization’s most valuable asset is its data, infrastructure security alone is not enough. To truly protect the data, particularly the most sensitive data, requires a dedicated cloud data security solution.

In addition to a solution that is data-centric, solving for the complexity, scope and scale of the cloud also requires a solution that is custom-built for the challenges of the cloud, not just repurposed on-premises data security tools. This solution needs to protect the data across its entire lifecycle, from initial discovery and cataloging to ongoing real-time monitoring for anomalous access. The solution must enforce both preventive and detective controls. Organizations should look for one solution that brings together all of the capabilities of data catalog, data security posture management, data access control, and data detection and response together under one roof and in one unified view.

Data Catalog for Cloud Security

The first step of securing your cloud data is knowing what data you have. Because of this, it's important to employ robust data cataloging technology. The data catalog discovers all of the data and everything you need to know about the data, whether that data is located in managed or unmanaged data assets, data caches, data pipelines, Big Data environments, or shadow data (unknown data stores).

In addition to discovery, a catalog should classify and catalog the data for the information needed to determine how it should be protected. This means uncovering everything from the data type and record to sensitivity and owner. Any data catalog solution worth its weight should do all of this autonomously, asynchronously and without any prior knowledge or effort on the part of the user. The challenge is to find ALL the data, even in places you don’t know it exists and to do that the cloud data security solution must be 100% autonomous, not require agents or connectors to be installed, not require knowledge of access credentials. It’s the hidden, shadow data that is unmanaged and unprotected that attackers are after.

Data Security Posture Management (DSPM)

Now you know what data you have and where that data is, the next step is to implement policies dictating how you protect your data and determining the gaps between stated policy and existing security posture that may be putting sensitive data at risk. Everything from exposure and access to retention period and encryption are set forth in policies that the data security posture management (DSPM) verifies is being met. At the core of DSPM is a policy engine that detects and alerts on data security policy violations and then provides guided remediation. This allows security teams to assess security posture, prioritize data that presents the biggest risk to the business, and remediate issues that actually put sensitive data at risk.

As opposed to a cloud security posture management tool, DSPM policies focus on the data regardless of the infrastructure it resides on. These policies are data-centric based on sensitivity. PCI data should be encrypted, should never be publicly exposed, PII should never be in a development environment or should have a retention period of X years. The data policies are MUCH DIFFERENT than infrastructure-centric policies.

Cloud Data Access Control (CDAC)

Access in the cloud environment is complex. Organizations seeking a full picture of their data security risks need to understand which entity or entities have access to what data. Data access control capabilities enable the visualization of the data access, and gives data security practitioners the information they need to then explore the ways that data and entities are connected.

For example, say the DSPM has found a violation where sensitive data is overexposed by allowing a third party vendor access. One of the questions the person looking into this has is what else can that vendor access, or who else has access to that sensitive data—the CDAC can help visualize the answers to both questions. Alternatively, let's say data detection and response (DDR) alerts on malicious activity in a machine, then the person investigating may want to know what cloud data has been accessed by a malicious actor on that machine with a certain identity. The CDAC would be able to visualize it and simplify it down to exactly what data could have been exposed.

Data Detection & Response (DDR)

The final component of a comprehensive cloud data security strategy is knowing what, if any, current activity is indicative that your sensitive data may be under attack. Data detection and response (DDR) monitors and alerts on ongoing, real-time activities that may indicate data leakage or signs of a potential breach. Unlike similar tools such as extended detection and response (XDR) or endpoint detection and response (EDR), DDR understands which data is critical. It then uses machine learning to detect anomalous activity around this critical, most sensitive data, which allows alerts to be much more specific and greatly reduces noise and cost.

Partnering With A Trusted Provider For Access To Flawless Data Protection

The cloud is the best solution for most businesses' IT infrastructure today. However, 98% of all organizations said in a recent poll that they had dealt with a cloud-related security incident. Be sure to provide security teams with a cloud-native data security platform that protects everything they build and run in the cloud that brings together the capabilities of data catalog, DSPM, CDAC and DDR—offering unparalleled visibility and security.