Fundamentals of cloud data security and protection

Organizations remain vulnerable to breaches

Verizon’s 2022 Data Breach Investigations Report is a treasure trove of data breach insight. It identifies four key avenues that lead to breaches: stolen credentials, phishing, exploiting vulnerabilities and botnets.

Attack types of note:

• Ransomware: Trended upward with an increase that outpaced its prevalence in the past five years combined.
• Supply chain attacks: Whether financially motivated or a nation-state attack, a single compromised partner can have lasting ripple effects.
• Error: With misconfigured cloud storage heavily influencing this category, Verizon notes “the fallibility of employees should not be discounted.”
• Human element: This is a continued weak spot, with stolen credentials and phishing playing a major part. 

Financial risk

The financial cost of a data breach averaged $9.44 million for U.S.-based organizations, but for healthcare, the cost topped $10 million, according to the Ponemon Institute.

Reputation

When an enterprise partners with a solution that deploys in the cloud, it places at least part of the responsibility of protecting its data onto the cloud provider. However, if the cloud provider fails to execute its cloud data security at the level it promised and breaches occur, the reputational damage isn’t confined to the cloud provider. The damage — reputationally and more — is likely to have repercussions for the solution providers and enterprises that stored their assets in that cloud environment, not to mention any consumers impacted.

Compliance

In addition to cloud service providers’ compliance needs, enterprises often have their own industry or geographically mandated compliance orders. Typically, compliance is a two-pronged approach:

1. Policy, procedures and operations
2. The technical side of cloud security, such as enforcing control or monitoring that control 

Certifications

Cloud data security is critical for earning and maintaining the types of certifications enterprises often need. Whether the certifications are industry-mandated, like for healthcare, government, financial services or another area, or customers require certification as a part of doing business, proper cloud security measures are a must. From cybersecurity insurance to best-practice data processing, certifications and the strength of your cloud security are often entwined.

Cloud Data Security Best Practices

Cloud data security best practices require a defense approach that layers multiple types of defense tactics on top of one another. This multilayer approach provides the highest chance of security success against the dynamic threats that face an organization.

Here’s what a layered approach looks like: Imagine your organization as a castle in Medieval times. For top security, your castle must be protected with multiple layers of varying defense:

• Strategic location with natural barriers such as a hilltop or cliffside
• Ongoing upkeep to the structure
• Archers to hold off advances
• Moats to impede large attacks
• Drawbridges and portcullises to cut off easy access
• Tar for encroaching breaches
• Hidden keeps within

The more things change, the more they stay the same. The best practices for securing your cloud data are based on the same principles of security as the olden days — but with an obvious, enhanced digital focus.

Defense in depth in the cloud

A defense-in-depth cloud security strategy uses different layers of data and privacy protection to protect your data in the cloud. For different types of threats (phishing vs. stolen credentials, for example), you need a different type of layer of protection. With multiple layers, more threats are covered and should one layer fail, another may thwart the attack.

The CIA triad

No, it’s not from that CIA.

• Confidentiality: The right people can access the right level of information
• Integrity: Data is consistent and accurate
• Availability: The reliability of access to the right information

At the end of the day, those three tenets are what comprise cloud data security.

Types of cloud data protection

An enterprise leveraging cloud computing should have layers of defense including:

Policies and procedures

• Strong password security and single sign-on (SSO)
• Multifactor authentication (MFA)
• Security training and annual policy reviews

Physical security

• Security guards
• MFA, mantraps, biometrics
• Access control lists
• Power redundancy
• Fire suppression
• Geographic disbursement

Perimeter defense

• Vulnerability and penetration testing
• SIEM
• Earlier denial of service (DoS) attack prevention
• Next-generation firewalls (NGFW)

Internal network security

• Internal firewalls and network segments
• Encryption in transit
• Role-based access
• Outbound web filtering
• High availability

Host security

• Endpoint detection and remediation
• Hardened deployment
• Timely and responsible patching

Application security

• Secure application development cycle
• Encryption key management
• Access controls
• Application logging
• Unique application credentials

Data security

• Encryption at rest
• Data redundancy and replication
• Data separation
• Least privilege access

It’s important to note that no security strategy is fool-proof — best-practice cloud data security requires constant upkeep, evolution, innovation and investment.

What does cloud data security achieve?

A perfect record of cloud data protection can thwart an endless stream of threats for months and years, and save your organization billions of dollars.

But just one security failure can cost an organization — either in direct repercussions of compromised data or longer-term impacts from the breach, such as in fines paid or reputational damage.

How do you Ensure Data Security in Cloud Computing?

Organizations must have both a culture of security and a culture that understands security. This includes everyone from maintenance crews, vendors and contract workers to CEOs, IT leaders and technology partners.

Create a culture of cloud data security

Successful security is very much a cat and mouse game. What you test this month might be completely different for the next month because these attacks evolve constantly, and your organization has to, too. In order to keep up, organizations should:

Enlist everyone

Every single person at an organization is a critical part of the layered defense strategy. Your security is only as strong as the weakest link, so enlist every team member across the enterprise into the maintenance and perpetuation of security for your cloud data.

Actively coach your team with ongoing training

Conduct regular, mandatory training for every team member. Create a team that deploys active types of engagements to test and educate team members and see how they might respond to real threats. These tests should look similar to real-life threats hackers would use to attack or test for weaknesses. Those results will inform your security team what might work well against you and help better define what security trainings should be the highest priority going forward.

Employ cloud experts to work on cloud

Self-inflicted security breaches can occur when cloud security team members don’t have the necessary cloud expertise to get the job done right. Verizon’s Data Breach Investigations Report of 2022 found that errors influenced by misconfigured cloud storage continue to be a dominant trend.

Methods of cloud data protection

In addition to the best practices listed above, cloud data protection can be well-served with these methods.

Automate the cloud

Downscaling the amount of human interaction from the resources within the cloud via automation can help protect data in the cloud. This helps with both threat and anomaly detection, as well as in the response. When automation is built into the cloud infrastructure, changes and updates can be launched and completed in seconds rather than days, weeks or months.

For example, AWS can interact with APIs and send a single command line to kick off a series of scripts that launch the relevant instances and containers needed for the entire cloud environment. In addition to time efficiency, cloud automation also eliminates human error and cloud misconfiguration.

Partner with a third-party cybersecurity risk management team

Vet and employ an independent, neutral tool that analyzes and reports on your organization’s security preparedness. BitSight, for example, helps monitor an entity’s public footprint online.

Both cloud providers and the enterprises leveraging a cloud provider’s services can benefit from these third-party assessment tools. The feedback can be used both proactively and reactively:

• Proactive monitoring: Validates that the things your cloud security team is doing internally are not reflecting differently on the outside.
• Reactive monitoring: Validates that your cloud security team is doing what they’ve said they are.

Top-tier cloud service providers will use these third-party assessors to monitor their scores as well those of customers, vendors and payment processors.

Infrastructure as code (IaC)

By managing and deploying your cloud infrastructure as code rather than through manual processes, you limit human error and the intrusion of bad actors — both internal and external. IaC forces your cloud administration through the same security lifecycle development process that application coding would go through to assure it’s not malicious.

Cloud data security issues and challenges

Cloud infrastructure speeds business and enables organizations to work in real time, anywhere. It drives cost savings, frees up physical space, supports the modern, remote ways we work, and supports disaster recovery preparedness.

However, cloud computing does face issues and challenges, including:

Access control

Knowing who can access what data is in your cloud environment is important for data security. Cloud service customers should know who’s validating access and require strong precautions around data-level access and crypto keys, as well as ensure their cloud service providers follow the best practices we’ve discussed above, from culture to defense layers.

Unfortunately, poor access control visibility can let malicious actors (often insider threats) into your cloud setup.

Supply chain attacks

These attacks are orchestrated, originally, against the software of a larger organization’s smaller partner. As large enterprises have become savvier in the data protection game, malicious actors have increased their attacks on smaller vendors who may sell their product to a larger entity. Once that undetected, infected partner software is unleashed into the target enterprise’s cloud environment, it infects all users of the application.

These supply chain attacks can impact suppliers, and then the suppliers of your suppliers, creating a chain infection of malicious coding. They can also be hard to trace because of the lengthy chains.

Inventory of assets

Organizations with lackluster asset management protocols may not know what assets and data they have in the cloud. Or because the nature of today’s fast-paced cloud is that pieces are spun up and destroyed at a rapid rate, cloud security teams may not be able to keep pace with what’s happening within the environment.

To combat this vulnerability, organizations should know what’s in the cloud, why it’s there and who’s managing it. This will help for forensic analyses as well, so that if a breach does occur, your cloud security team can track ephemeral systems.

Bottom line: You can’t secure what you don’t know is there.

Cloud expertise shortages

The industry faces a cloud expertise shortage, and some of the biggest security challenges come with it. If employees without the critical cloud expertise try to deploy assets into the cloud the same way they do to their traditional datacenters, things can go quite wrong from a security perspective. While the two skill sets can complement each other, they’re not a like-for-like match.

Add in the speed of the cloud, and how quickly cloud providers can modify and replace their own services, and it’s exceptionally challenging for noncloud experts (and cloud experts) to keep up.

Cloud vs. datacenter security

The difference in security between cloud computing and on-premise datacenters is essentially who owns the liability.

An on-premise datacenter that doesn’t utilize the cloud has servers that are owned and managed by the enterprise. In that scenario, the organization is fully responsible for security.

When an enterprise partners with a cloud-enabled solution that leverages a cloud provider, the datacenter security responsibility shifts to the cloud provider.

However, the organization must do its due diligence in vetting all suppliers, vendors and providers who have any hand in the cloud infrastructure, applications used and services procured. Ideally, this means an enterprise selects a major provider, such as AWS, which would have the highest levels of cloud security talent working on them and proven track records of security success.

Will cloud replace datacenters?

No, the cloud doesn’t replace datacenters. A cloud solution still uses a datacenter for data storage. However, most enterprises are moving away from managing their own on-premise datacenters. Cloud providers own and manage their own datacenters, and they essentially “rent” storage space out to partners.

For example, AWS is a cloud provider that manages its own datacenters that are used to store their partners’ cloud data. AWS is responsible for the security and upkeep of those datacenters, and that’s where they store the data of their cloud infrastructure customers.

Cloud data security for content services

Hyland is a leading content services provider with a range of cloud-enabled and cloud-native technologies, solutions and services. We take cloud data security seriously because our customers demand it, and because it’s the right thing to do.

Hyland and cloud computing

Learn more about Hyland in the cloud:

• Hyland on the AWS Marketplace
• The Hyland Cloud
• Hyland’s Alfresco Business Platform-as-a-Service

Hyland on AWS

Hyland is listed on the AWS Marketplace. Learn more about the benefits of purchasing there, including the ability to:

• Streamline procurement
• Implement controls and automate provisioning
• Manage software budgets with cost transparency