It is essential to have an adequate program for data security in the cloud.
Recently, I was a featured guest on Google’s Cloud Security Podcast, discussing best practices to ensure cloud data security. Together with Google Head of Security Solution Strategy, Anton Chuvakin, we discussed what makes data security in the cloud unique, the shift to identity-based data policies, and how to implement preventative data security controls.
Our conversation detailed and expanded upon many of the topics we jointly wrote about in our recent white paper on data security considerations and strategies for Google Cloud. Here’s a quick summary of our dialogue on how to ensure your business is ready to safeguard your most critical business asset–your data–once it’s in the cloud.
Important Differences Between Cloud Security and On-Premises Security
There is a tendency for people to utilize their legacy data security program from the data center environment and simply apply it to the cloud. Though certain fundamentals remain from an on-premises data security strategy, there are stark differences. The considerable reliance on network controls, for instance, is diminished. After all, there are no longer multiple firewalls between the hostile internet and your data in the cloud. Instead, user identity and role-based access might be the only safeguard protecting your data from bad actors.
The emphasis on identity in cloud data protection is one of the most poignant changes between on-premises security and cloud security. Identity is core to cloud security strategies because, in cloud platforms, services are pre-integrated. It’s identity (and access policies) that grant or deny access to those services.
The traditional way of thinking about data security focuses on classification, data life cycles, and the technologies required to protect sensitive information within the context of physical infrastructure. Transitioning to the cloud necessitates a paradigm shift in thinking to address new fundamentals unique to the cloud. One of these critical fundamentals is identity, which is essential to managing policy controls in cloud infrastructure. To reiterate our white paper, if you can get identity even partially right, you will be well on your way to an effective data security strategy.
Moving Away From the Firewall Mentality
In data centers, everything you build is based on the network; firewalls, switches, VLANs, routing, subnets — it’s everywhere. Because of that, it’s used as an asset to create security, for example, through network segmentation, monitoring of traffic, and zero-trust access policies. In the cloud, much of that INFRASTRUCTURE goes away and is obfuscated to the provider. As such, you no longer lean on it for your security controls. What is left is identity, access controls, and logging/auditing. As Anton Chuvakin said in our podcast, “If you expect five firewalls between your database and the internet, you’re not going to have it in the cloud.” Accordingly, identity-based controls naturally increase in precedence during transitions to cloud platforms.
To aid in shifting the way you think, it is helpful to focus on utilizing your cloud provider’s services to secure your data. When you transition to the cloud, you build upon the immense security tools forged into the platform. The burden of information surveillance and protection is no longer squarely on your organization’s shoulders; it is a shared responsibility with your cloud provider. Focusing on crafting security based on the services, tooling, and policy capabilities available to you will aid with the mental gymnastics that sometimes come with cloud transitions, such as learning to trust your cloud provider more by trusting it less.
Making Decisions on Key Management in the Cloud
One of the main questions that come with cloud transitions centers on key management, which is always a challenge because there are many different ways to think about it. For example, key management can relate to compliance-related activities, which necessitate thinking about what to do with encryption keys to meet mandates or regulations. While compliance considerations will drive one set of behaviors, operationalizing key management will spur another. Operations, including key generation, managing and storing keys, key rotation, distribution and revocation, and other key lifecycle concerns, are consistently reported as a significant challenge by our clients. If you are juggling key management from a combination of these two perspectives, it adds to the complexity of the challenge.
It is vital to consider and understand what drives your key management requirements. Once you do, cloud platforms offer an immense capacity and flexibility to support your decisions.
Utilizing Visibility to Monitor Cloud Data
Once you’ve transitioned your data to the cloud and committed to a key management strategy, you need a protocol for tracking data access. Monitoring data access, in general, is a considerable issue and extremely difficult. There aren’t many effective tools to do so in a data center environment.
Now, cloud platforms like Google Cloud offer robust monitoring, auditing, logging, and more, straight out of the box. You’ve got all this visibility BUILT IN, and you didn’t have to do anything to get it! It’s a game-changer.
Furthermore, visibility is essential to DevSecOps and the automation implementation of security policy into code. Without adequate oversight supporting your ability to make policy decisions based on data usage, these efforts are far more challenging. That is why, as I explain in our conversation, “cloud platforms… that provide a lot of visibility,[and] a lot of opportunity to see what’s happening and then make decisions and automation [are] very powerful.”
Key Decision Makers to Success in Data Migration
If we understand the pillars that inform our data security strategy, the question becomes, who are the key decision-makers that will determine its success? Because organizations often begin cloud adoption swiftly, security teams need to work together with business and legal teams to ensure the migration of workloads and data are adequately grounded in security posture.
While the public cloud provides valuable benefits to businesses, such as economies of scale, as I note in our discussion, “all of that will be for naught if it isn’t grounded in a security posture that adequately protects those workloads… As teams are working together, and security is trying to inject what it needs to adequately protect [information] and implement the right security controls… it is very much a team effort.”
A Checklist for Cloud Strategy
Whether your company has a legacy program that your teams are looking to adapt to the cloud, or you’re starting from the ground up, take a moment to check out my joint white paper with Google’s Anton Chuvakin. It is full of essential details on best practices for developing a data protection strategy. There is a checklist of questions to consider that serve as a guide to pivoting security to the cloud. Also, there are a helpful set of parameters to consider for businesses cloud-native from the outset to build and implement a security program. Of course, if you don’t have the time to read through the white paper, you can get plenty of detailed tips and analysis by listening to the 20-minute podcast this article summarizes.
Should you review these valuable materials and decide you want support developing a high-class data security system, or you want to skip the study guides, you can get a free security assessment from our team at Sidechain. We will ensure your data security program is well equipped to deter the relentless threats that businesses face today.