The cloud is a complex environment; there is no denying that fact. One of the most complicating aspects of the cloud is data security. It is a primary concern for all organizations whether they are looking to initiate their first move to the public cloud or if they have been operating there for years. Companies beginning their transition are often reluctant to transfer their most sensitive data as they try to understand the new operational and regulatory environment they are navigating.
That hesitancy is understandable; however, applying a data security strategy created for on-premises data management to the cloud is inadequate and a significant security risk. Such methods fail to address cloud requirements and do not utilize the built-in services and capabilities these cloud platforms offer.
To successfully migrate data to a cloud platform, organizations must examine and reassess their traditional data security strategies. Doing so requires comprehending how the cloud impacts current policy and then utilizing that information to shape a new data security strategy capable of employing the services cloud platforms offer.
Three Pillars of a Sound Cloud Security Strategy
When developing a potent data security strategy for the cloud, it is essential to understand and properly address three pillars: Identity, Access, and Visibility. These pillars serve as the bedrock of any security solution. Without a sound approach to tackling these issue areas, any initiative will struggle. That is because every strategy program requires the management of Identity, Access, and Visibility. Failing to address any of these issue areas cripples data security.
The most crucial step in a data security plan is the evaluation of identity. In any governance system, understanding identity is essential to determine who gets access to what. For example, governments need to identify who is and who is not a citizen to accurately provide benefits afforded to nationals, such as voting. Data governance works in the same way. Data management is defined by who gets access to what data. Recognize identity correctly, and a large majority of data security challenges will be solved from the off. Fail to do so, and an unlimited number of additional controls will not protect your most sensitive information.
To adequately address identity, you should start by determining who needs access to data. Employees, software services, and hardware will each require admission. One of the most varied forms of data consumption is via Users. Whether they are consumers providing identifying information, systems engineers providing troubleshooting infrastructure, or client services supporting your customers, Users will interact with data in a wide variety of ways.
Once you have determined who needs access to data, the next step is to manage what data they can access. That requires granting privilege to your sensitive information- far and away the most challenging aspect of a data security strategy.
Data access management requires the use of boundaries that serve as a semipermeable membrane (to borrow from biology) controlling who gets in and out of your data vault. For example, at the airport, TSA security determines who needs access to the terminals by identifying people with flight tickets. However, they also manage what terminal those people have the right to enter based on their flight information. Similarly, your marketing team may require entry to your cloud platform, but they do not need access to all your sensitive data.
Similarly to how getting on a flight necessitates checking-in, making it through security, and scanning your ticket, access boundaries serve as layered protection, which can be managed at three levels:
1. Network Layer Access
Think Firewalls and Virtual Private Cloud Service Controls.
2. IAM Access Controls
Cloud Identity and Access Management (IAM) policies determine who has what access to which resources by assigning roles. Such policies transmit through the hierarchy of the cloud environment:
- Organization Level: IAM roles at the organization level are inherited down to all organization resources.
- Project Level: Provides project-specific access to data, ensuring, for example, a guest user can only view data they are provided permission to see via their assigned IAM role.
- Resource Level: Viewing privileges specific to individual assets managed within a project. Have a consultant working on one aspect of a larger project? Providing a resource level will give access to only the information you deem necessary to complete their work
3. Provider/Customer Segregation
If you are uploading your data to the cloud, you might have concerns about preventing your cloud provider’s access to your information. Thankfully, there are significant additional safeguards that can be implemented to ensure access boundaries between your data and your cloud provider.
Once you properly identify data stakeholders and control their access with network boundaries, your final step to developing the three pillars of cloud data security is to ensure adequate visibility over data use.
With on-premises security, it is challenging to surveil the data environment because it is protected by a range of disparate technologies that are not inherently designed for unification. The beauty of cloud security is that its services are all seamlessly integrated. As such, the opportunity to monitor, detect, log, and audit data access is beyond compare. Furthermore, these surveillance abilities are supplemented by impressive analytics and powerful tools that supply additional insight into and control over data access management.
Because the cloud centralizes security control management, it provides unparalleled visibility beyond logging and monitoring. It offers a view across your organization into how data is protected. To achieve the same visibility levels with on-premise security requires a massive amount of resources that can be better applied elsewhere within your organization.
Effective visibility can be ensured via various tools, such as Google Cloud Logging, which exhaustively records every data event, ensuring you have a detailed understanding of your data is being accessed, moved, and shared.
Ensure a Smooth Transition to the Cloud with the Three Pillars
Managing data security on the day-to-day is a difficult task on its own. When you add in the complexities of transitioning to the cloud, it can seem a monumental task that might be best served by maintaining your current on-premise security program. However, you should not lift and shift your data protection strategy to the cloud. Instead, your organization should focus on developing an effective cloud-based security strategy that begins with the base pillars of identity, access, and visibility. Building a proper foundation for data protection is essential, and it starts with these three keys. If you want to learn more about the three pillars and how to develop a data security strategy for Google Cloud, check out our joint whitepaper with Google. If you are creating a system for a different cloud platform, or if you would like to incorporate into your strategy the expertise of a cybersecurity firm that works with multiple Fortune 500 companies, consider a free assessment from Sidechain.