Cloud data security is a top priority for any cloud-enabled organization. Proper execution requires cloud expertise, organizational behavioral training and continual digital transformation of the technology stack and strategy.
Dylan Border
Corporate Cyber Security Director
What is Data Protection in the Cloud?
Cloud data protection is the aggregate of established policy, processes and in-place technical controls that protects data and privacy while interacting with cloud-based resources.
This includes, but is not limited to:
The threats to data security are ongoing and ever-changing. Because cloud computing is now the dominant infrastructure approach for major enterprises, the amount of data in the cloud is higher than ever. Consequently, cloud security and the protection of the data stored there is critical to good business.
— Gartner
Verizon’s 2022 Data Breach Investigations Report is a treasure trove of data breach insight. It identifies four key avenues that lead to breaches: stolen credentials, phishing, exploiting vulnerabilities and botnets.
Attack types of note:
The financial cost of a data breach averaged $9.44 million for U.S.-based organizations, but for healthcare, the cost topped $10 million, according to the Ponemon Institute.
When an enterprise partners with a solution that deploys in the cloud, it places at least part of the responsibility of protecting its data onto the cloud provider. However, if the cloud provider fails to execute its cloud data security at the level it promised and breaches occur, the reputational damage isn’t confined to the cloud provider. The damage — reputationally and more — is likely to have repercussions for the solution providers and enterprises that stored their assets in that cloud environment, not to mention any consumers impacted.
In addition to cloud service providers’ compliance needs, enterprises often have their own industry or geographically mandated compliance orders. Typically, compliance is a two-pronged approach:
Cloud data security is critical for earning and maintaining the types of certifications enterprises often need. Whether the certifications are industry-mandated, like for healthcare, government, financial services or another area, or customers require certification as a part of doing business, proper cloud security measures are a must. From cybersecurity insurance to best-practice data processing, certifications and the strength of your cloud security are often entwined.
Cloud data security best practices require a defense approach that layers multiple types of defense tactics on top of one another. This multilayer approach provides the highest chance of security success against the dynamic threats that face an organization.
Here’s what a layered approach looks like: Imagine your organization as a castle in Medieval times. For top security, your castle must be protected with multiple layers of varying defense:
The more things change, the more they stay the same. The best practices for securing your cloud data are based on the same principles of security as the olden days — but with an obvious, enhanced digital focus.
This video provides an overview of Hyland Cloud's layers of defense.
A defense-in-depth cloud security strategy uses different layers of data and privacy protection to protect your data in the cloud. For different types of threats (phishing vs. stolen credentials, for example), you need a different type of layer of protection. With multiple layers, more threats are covered and should one layer fail, another may thwart the attack.
No, it’s not from that CIA.
The CIA triad describes a model that places these three types of security as priorities:At the end of the day, those three tenets are what comprise cloud data security.
An enterprise leveraging cloud computing should have layers of defense including:
Policies and procedures
Physical security
Perimeter defense
Internal network security
Host security
Application security
Data security
It’s important to note that no security strategy is fool-proof — best-practice cloud data security requires constant upkeep, evolution, innovation and investment.
A perfect record of cloud data protection can thwart an endless stream of threats for months and years, and save your organization billions of dollars.
But just one security failure can cost an organization — either in direct repercussions of compromised data or longer-term impacts from the breach, such as in fines paid or reputational damage.
Organizations must have both a culture of security and a culture that understands security. This includes everyone from maintenance crews, vendors and contract workers to CEOs, IT leaders and technology partners.
Create a culture of cloud data security
Successful security is very much a cat and mouse game. What you test this month might be completely different for the next month because these attacks evolve constantly, and your organization has to, too. In order to keep up, organizations should:
Enlist everyone
Every single person at an organization is a critical part of the layered defense strategy. Your security is only as strong as the weakest link, so enlist every team member across the enterprise into the maintenance and perpetuation of security for your cloud data.
Actively coach your team with ongoing training
Conduct regular, mandatory training for every team member. Create a team that deploys active types of engagements to test and educate team members and see how they might respond to real threats. These tests should look similar to real-life threats hackers would use to attack or test for weaknesses. Those results will inform your security team what might work well against you and help better define what security trainings should be the highest priority going forward.
Employ cloud experts to work on cloud
Self-inflicted security breaches can occur when cloud security team members don’t have the necessary cloud expertise to get the job done right. Verizon’s Data Breach Investigations Report of 2022 found that errors influenced by misconfigured cloud storage continue to be a dominant trend.
— Dylan Border, Director of Cyber Security, Hyland
In addition to the best practices listed above, cloud data protection can be well-served with these methods.
Automate the cloud
Downscaling the amount of human interaction from the resources within the cloud via automation can help protect data in the cloud. This helps with both threat and anomaly detection, as well as in the response. When automation is built into the cloud infrastructure, changes and updates can be launched and completed in seconds rather than days, weeks or months.
For example, AWS can interact with APIs and send a single command line to kick off a series of scripts that launch the relevant instances and containers needed for the entire cloud environment. In addition to time efficiency, cloud automation also eliminates human error and cloud misconfiguration.
Partner with a third-party cybersecurity risk management team
Vet and employ an independent, neutral tool that analyzes and reports on your organization’s security preparedness. BitSight, for example, helps monitor an entity’s public footprint online.
Both cloud providers and the enterprises leveraging a cloud provider’s services can benefit from these third-party assessment tools. The feedback can be used both proactively and reactively:
Top-tier cloud service providers will use these third-party assessors to monitor their scores as well those of customers, vendors and payment processors.
Infrastructure as code (IaC)
By managing and deploying your cloud infrastructure as code rather than through manual processes, you limit human error and the intrusion of bad actors — both internal and external. IaC forces your cloud administration through the same security lifecycle development process that application coding would go through to assure it’s not malicious.
Cloud infrastructure speeds business and enables organizations to work in real time, anywhere. It drives cost savings, frees up physical space, supports the modern, remote ways we work, and supports disaster recovery preparedness.
However, cloud computing does face issues and challenges, including:
Access control
Knowing who can access what data is in your cloud environment is important for data security. Cloud service customers should know who’s validating access and require strong precautions around data-level access and crypto keys, as well as ensure their cloud service providers follow the best practices we’ve discussed above, from culture to defense layers.
Unfortunately, poor access control visibility can let malicious actors (often insider threats) into your cloud setup.
Supply chain attacks
These attacks are orchestrated, originally, against the software of a larger organization’s smaller partner. As large enterprises have become savvier in the data protection game, malicious actors have increased their attacks on smaller vendors who may sell their product to a larger entity. Once that undetected, infected partner software is unleashed into the target enterprise’s cloud environment, it infects all users of the application.
These supply chain attacks can impact suppliers, and then the suppliers of your suppliers, creating a chain infection of malicious coding. They can also be hard to trace because of the lengthy chains.
Inventory of assets
Organizations with lackluster asset management protocols may not know what assets and data they have in the cloud. Or because the nature of today’s fast-paced cloud is that pieces are spun up and destroyed at a rapid rate, cloud security teams may not be able to keep pace with what’s happening within the environment.
To combat this vulnerability, organizations should know what’s in the cloud, why it’s there and who’s managing it. This will help for forensic analyses as well, so that if a breach does occur, your cloud security team can track ephemeral systems.
Bottom line: You can’t secure what you don’t know is there.
Cloud expertise shortages
The industry faces a cloud expertise shortage, and some of the biggest security challenges come with it. If employees without the critical cloud expertise try to deploy assets into the cloud the same way they do to their traditional datacenters, things can go quite wrong from a security perspective. While the two skill sets can complement each other, they’re not a like-for-like match.
Add in the speed of the cloud, and how quickly cloud providers can modify and replace their own services, and it’s exceptionally challenging for noncloud experts (and cloud experts) to keep up.
The difference in security between cloud computing and on-premise datacenters is essentially who owns the liability.
An on-premise datacenter that doesn’t utilize the cloud has servers that are owned and managed by the enterprise. In that scenario, the organization is fully responsible for security.
When an enterprise partners with a cloud-enabled solution that leverages a cloud provider, the datacenter security responsibility shifts to the cloud provider.
However, the organization must do its due diligence in vetting all suppliers, vendors and providers who have any hand in the cloud infrastructure, applications used and services procured. Ideally, this means an enterprise selects a major provider, such as AWS, which would have the highest levels of cloud security talent working on them and proven track records of security success.
Will cloud replace datacenters?
No, the cloud doesn’t replace datacenters. A cloud solution still uses a datacenter for data storage. However, most enterprises are moving away from managing their own on-premise datacenters. Cloud providers own and manage their own datacenters, and they essentially “rent” storage space out to partners.
For example, AWS is a cloud provider that manages its own datacenters that are used to store their partners’ cloud data. AWS is responsible for the security and upkeep of those datacenters, and that’s where they store the data of their cloud infrastructure customers.
Hyland is a leading content services provider with a range of cloud-enabled and cloud-native technologies, solutions and services. We take cloud data security seriously because our customers demand it, and because it’s the right thing to do.
Learn more about Hyland in the cloud:
Hyland is listed on the AWS Marketplace. Learn more about the benefits of purchasing there, including the ability to:
