Key factors to achieve data security in cloud computing
Almost every business today uses some kind of cloud computing, and it’s easy to see why. The cloud increases scalability, flexibility, and collaboration, often while reducing costs and improving efficiency.
The cloud is not without its challenges, however especially when it comes to data security.
Why is cloud data security important?
Data security in the cloud is essential, whether in a public or private cloud. Privacy and compliance violations, cloud service provider (CSP) breaches or disclosures, and accidental misconfiguration of cloud services and data storage objects can lead to breaches data and illegal access to data are just a few of the many data security issues businesses face when deploying applications. and sensitive information in the cloud. Other threats that also affect the on-premises environment, such as insider threats, also affect cloud security.
For organizations to reap the benefits of the cloud, they must be aware of the top cloud data security threats and challenges and how to mitigate them, as well as SaaS, PaaS considerations and general and specific IaaS in cloud security.
Top cloud data security threats and challenges
In its updated “Top Threats to Cloud Computing” research, the Cloud Security Alliance cited 11 key cloud security risks, among them the following three pertaining specifically to data:
- insufficient credential and key management
- accidental cloud data disclosure/exposure
- cloud storage data exfiltration
Data storage is a particularly complex issue. Cloud providers use different data storage options depending on the type of cloud service used. SaaS Vendors typically have large-scale storage with database implementations in many cases, little or no control over the data protection provided to customers, while vendors PaaS and IaaS typically provide individual virtual disk volumes, as well as large-scale blobs, databases, and storage resources.
Additionally, enterprises must choose among an assortment of controls, most of which are specific to the cloud service types and CSPs they use. Any cloud data security strategy must include the following:
- evaluation of encryption types and availability.
- encryption key management services and options available within the cloud.
- data lifecycle and archival options.
- backup capabilities.
- data loss prevention (DLP); and
- data storage monitoring.
Key components to ensure data security in the cloud
When devising a strategy for data security in cloud computing, keep the following general cloud security considerations in mind, as well as some specific SaaS, PaaS, and IaaS considerations.
Multifactor authentication for every cloud
For all cloud environments, at least multi-factor authentication (MFA) is required for all users with privileges to access cloud services or perform administrative operations. Ideally, request an MFA for an end user accessing the cloud. Keep security permissions and controls up to date and ensure security measures are documented in the cloud security policy.
Ideally, all SaaS cloud access should be brokered through a cloud access security broker, if possible, to enable DLP, content filtering, malware protection and other controls.
Cloud security posture management (CSPM) and SaaS security posture management (SSPM) tools can help enterprises keep a close eye on data storage configurations and whether data is being exposed.
SaaS data security
For SaaS specifically, prepare to be underwhelmed with the number of sound data security options available to configure and manage.
In SaaS environments, most data security is managed by the CSP itself, and it’s important to carefully review any controls reports and shared responsibility attestations. Logging in SaaS environments is notoriously challenging or even nonexistent. In some cases, CSPM and SSPM software may help.
PaaS- and IaaS-specific data security
For PaaS and IaaS providers, some considerations for data security in cloud computing include the following:
- Encryption. Look for cloud storage services that offer the ability to generate 256-bit AES keys or better or import them for bring your own key. Any encryption key management should be focused on strong encryption standards, such as AES, as well as strong cipher suites. Many leading PaaS and IaaS offerings now include automatic encryption of all storage, which is fantastic.
- Key management. Check for services that offer support for key management standards, such as OASIS Key Management Interoperability Protocol. This is helpful if your goal is creating a hybrid key management strategy between on-premises infrastructure usually with hardware security modules — and cloud key storage and management.
- Identity and Access Management. Ensure any cloud storage environment supports strong identity and privilege policy controls, as well as data lifecycle controls. Ideally, granular privileges and integrated access controls, including MFA, are supported, along with selective controls related to data tagging, tracking, and archiving.
- Logging. Enable detailed and extensive logging for all storage environments or types using native cloud logging, such as AWS CloudTrail, Azure Monitor or Google Cloud Logging. These logs should be sent to a central storage location for processing or analysis, and security operations teams should build playbooks and workflows that prioritize data access and storage events.
Some final advice
Regardless of the deployment, carefully consider the types of cloud storage in use. SaaS options are limited, but PaaS and IaaS clouds offer a variety of cloud storage services, each with different security and protection capabilities.
Determine data store exposure on a case-by-case basis. Remember that cloud application components and services are interconnected. Exposed APIs or vulnerable web services could give malicious actors unauthorized access to cloud storage, as well as other data.