Today, organizations are placing more data as well as infrastructure in the public cloud. Public cloud has made it possible for organizations to be much more efficient, agile, and to integrate new technologies much more quickly. However, with all the benefits that public cloud brings to the table in regard to features and functionality, there are concerns when we think about the security of public cloud data and the accessibility of public cloud data when it exists in someone else’s data center.
The fine-grained control over server infrastructure that organizations have been accustomed to with on-premise datacenters has been shifted to the public cloud vendor. Additionally, in recent years, news headlines filled with massive data leaks or breaches add to the security concerns that many organizations may have about public cloud. How can organizations reduce, prevent, and even avoid data breaches in the cloud? Let’s take a look at five areas:
- Encrypting in flight and at rest data
- Implementing an API based CASB
- Monitoring, auditing, and proactive alerting
- Micro-segmenting access and network resources and JEA for users
- Backing up public cloud resources
Preventing and Protecting Against Cloud Data Breaches
As mentioned, there is no shortage of news regarding security related events with many of the world’s largest companies losing millions of dollars either as a direct result of breaches or in damages to company reputation. What can organizations do to protect themselves when it comes to cloud security? As with any security approach, one solution is not the answer.(Sounds a little awkward. Maybe reword it as: “As with any security approach, there can be many solutions.” Generally, good or even great security is effective when approached as “layers of an onion,” with a combination of technologies and best practices forming the cloud security strategy. Let’s look at a few strategies and technologies that can be successfully used to secure data in the cloud and help reduce and even prevent data breaches in the cloud.
Encryption In Flight and At Rest Data
We hear about encryption quite a lot these days. Often, however, it is not in a good context. Many attach the word encryption to bad guys who use ransomware to encrypt data and then hold that data hostage until a ransom is paid. Sadly, ransomware sheds a bad light on encryption. When encryption is used in a good way to secure data, then it can pay dividends in terms of the security benefits it brings to the table.
What is encryption anyway? Encryption takes readable data and encodes it so that it is unreadable without the “key” to unlock the data. Used in a good way for security purposes, we take an encryption key and use that key to encode our data so that only we can unlock it, and not someone who is trying to steal data.
When we think about data that is in transit from on-premise to the cloud and potentially stored in the public cloud, needs to be encrypted both in flight and at rest. This covers both aspects of encrypting data. Generally, we think about data encrypted at rest or when it is stored.
Data encrypted “at rest” is typically the encryption most think about with the term. Data “at rest” is not moving and is generally stored on local disks, SAN, NAS, or an other storage medium. Encryption at rest can generally be implemented in one of two ways – Entire disk encryption or file level encryption.
It has been said that data is more at risk when it is “in flight” or moving. When we think about the “hops” our data may make across the Internet from our on-premise datacenter to the public cloud, there could be dozens of potential points of vulnerability across the data path where our data could be at risk. When data is encrypted when it is moving or “in flight,” the data stream is encrypted at one point and then decrypted at the destination. Typically, in flight encryption can be accomplished using IPsec VPN tunnels or TLS/SSL for encryption. IPsec establishes mutual authentication between source and endpoints, negotiating the “keys” that are used in the TCP/IP session. Transport Layer Security (TLS) and Secure Sockets Layer (SSL) encryption can both be used to secure data transfer. TLS is a bit more efficient and secure than SSL, and is a newer implementation of secure algorithms.
An organization that wants to go a long way in effectively reducing or preventing cloud data breaches needs to address both the “in flight” and “at rest” data security issues when thinking about on-premise to public cloud network and data communications.
Implement an API based CASB
Many organizations consider cloud access security brokers or CASBs to be the cornerstone of securing their public cloud, as it can orchestrate many aspects and best practices of public cloud security. CASBs provide an extremely effective means of securing on-premise to public cloud data access and preventing breaches. They scrutinize and examine network traffic to ensure it meets the organization’s security and policy baselines such as preventing downloading of information, sharing of files, and other high-risk operations. API CASBs are the more modern and scalable implementations of cloud access security brokers, as they integrate very tightly with public cloud vendor open APIs made available. This tight integration allows the CASB to become part of the public cloud offering instead of being an add-on or proxy in the middle.
Additionally, API based CASBs allow for dynamic “learning” and retroactive action so that analyzed data from the CASB, which may indicate security or other vulnerabilities, can proactively remediate those security vulnerabilities. End users who access company public cloud data from the Internet using a personal device still receive the same policies and restrictions that a company provisioned and configured device receives. Users are not able to bypass those policies by using a different device or network path.
CASBs are becoming an essential component for organizations to ensure security and policy with end users accessing public cloud resources regardless of where or from what device they are coming from. A summary of API based CASB benefits include:
- Standardized security and policy enforcement regardless of the source network or end user device.
- Proactive and retroactive actions based on machine learning and data analysis
- Enforcing encryption in the cloud that meets organization defined standards – Data encryption in flight and at rest is extremely important in securing a company’s public cloud landscape.
- Detection and scrubbing of confidential information. Confidential information may include such things as credit card numbers or social security numbers.
- With alarming malware, such as ransomware, making many organizations wary of infection locally, these same ransomware attacks can affect cloud data. CASBs can proactively detect and restore cloud data that has been infected with potential ransomware.
- Prevent the downloading or sharing of data between company controlled public cloud resources and an employee’s personal public cloud accounts.
- Privileged account use monitoring and alerting to help audit the use of privileged accounts and alert based on predefined thresholds.
- In line with ransomware detection in the cloud, third party apps can be scanned and monitored for risky behavior or potentially dangerous permissions requests, etc.
- Proactive alerting of security and policy related events. Proactive monitoring can help administrators very quickly identify security and policy concerns within the organization’s public cloud resources.
Auditing, Monitoring, and Proactive Alerting
To go along with many of the abilities that CASBs afford organizations, using mechanisms such as CASBs and other resources to monitor and audit all actions and data in the cloud is necessary for security in today’s public cloud-driven infrastructure. Understanding which users, networks, third party applications, and devices are accessing an organization’s public cloud data is crucial to assessing risk and remediating any security threats that may arise. Additionally, having meaningful proactive alerts configured, which alert system and cloud administrators to security and audit related events, can shed light on security vulnerabilities.
Auditing, monitoring, and alerting should include a number of important metrics related to the security of the cloud environment. It may include but is not limited to the following:
- Auditing privileged account access – When is the privileged account(s) being used? Is the usage expected? Was the use in line with prior change control authorization? Does it follow a normal business trend that is expected, or is it unexpected? Which network or networks is the privileged account use coming from?
- Auditing networks, source traffic geographic regions, etc. Auditing networks and source traffic information geographically can shed light on possible unauthorized account usage. Is account usage coming from the expected geographic locations for the respective users?
- Are there many audit failures? Perhaps there isn’t unauthorized use per se, but is there “attempted” unauthorized use? Is an employee trying to access cloud resources that they shouldn’t access an indication of a compromised account or unscrupulous employee?
- Alerting based on security or out of compliance related events – Are monitors in place that proactively send alerts based on triggers configured? If too much time is passed after a security event has occurred, it can be difficult to trace the potential security breach.
Micro-segmenting access and network resources and JEA for users
Micro-segmentation is somewhat of a buzzword in today’s software defined networking space (SDN) and many of the principles presented with micro-segmentation use cases apply to on-premise to cloud and cloud to on-premise communications. Micro-segmenting allows network communication or access to only the minimum network nodes that need to be able to communicate.
This can be implemented by any number of means using SDN products or other various technologies. Basically, when network access is scoped down to only the devices or end users that absolutely need access, we are going a long way in mitigating risk. Otherwise, if network communication is wide open to both on-premise or public cloud nodes or resources, the overall security posture is lessened.
Additionally, “just enough access” or JEA is a security best practice to make sure that end users only have the access they absolutely need to resources, both on-premise and in the public cloud. The legacy approach of giving users more access than they need to make sure they have the access they need is a dangerous posture in today’s hybrid infrastructure. Hackers are often looking for access either by stealing credentials or impersonating users. If access to resources are minimal and only what the end user needs, we are mitigating risk. Even if those credentials are compromised, the damage scope or breach would be contained based on that user’s credentials. Certainly, as already mentioned, we would closely monitor any “privileged” or administrative account’s activity to identify anything out of the ordinary. This is where our monitoring, auditing, alerting, and other security measures will play a key role.
Backing Up Public Cloud Resources
The best that organizations can do today is to use a multifaceted approach to public cloud security. The more difficult it is to penetrate an organization’s public cloud resources, the less desirable it is as a target. However, as good as today’s public cloud security tools are, no security mechanism is perfect. With that being said, breaches do happen. What if crucial company data is destroyed or corrupted?
Organizations must consider how they can recover if a breach does occur. All too often, organizations regularly perform on-premise backups of critical resources but fail to consider backing up resources in the public cloud. While public cloud vendors provide impressive uptime and redundant infrastructure, your data is still YOUR responsibility.
Resources such as public cloud shared storage and email are integral parts of today’s hybrid cloud infrastructures of many organizations. How are these resources being backed up? Can you recover from data loss from unintentional, or even intentional, destruction of data or possible ransomware attack? These are some of the serious questions that organizations must ask when formulating a disaster recovery strategy.
There are powerful tools, such as Spinbackup for G Suite, that allow organizations to achieve many of the crucial public cloud security objectives mentioned in this article, including the very important backup of public cloud resources, including storage and email. Backups provided for cloud resources, such as those created by Spinbackup, allow the following:
- Automated backups – Backups that happen automatically and that are securely stored (encrypted)
- Deletion control – An automatic protected area of accidentally or intentionally deleted items that can be easily restored
- Version control – Multiple backup points in time and versioning on files allows for quick identification and recovery of specific points in time of files located in cloud storage.
- Searchable backups – Quickly and easily search backed up data to find resources for restoration
- Activity reports – Proactive reporting that allows monitoring of data loss protection status.
It is imperative in today’s hybrid cloud environments that organizations think about and bolster their public cloud security. If they do not, they most likely will be subject to a future data breach headline and potentially out of business shortly after. Public cloud security is a multifaceted approach that involves many different aspects of security. As mentioned – encryption, API based CASBs, auditing, monitoring and proactive alerting, micro-segmenting and JEA, and backing up public cloud resources are great ways to enhance public cloud security. When protecting data in the public cloud, organizations must be proactive and not reactive. Taking advantage of the tools and cyber security best practices of today and embracing the ones of tomorrow will ensure secure and successful public cloud implementations.
3,312 total views, 17 views today