By 2025 the amount of data stored in the cloud by both governments, organizations, and individuals will exceed 75 Zettabytes – an estimated 49% of the world’s 175 zettabytes of data at that time. This trend has no doubt been accelerated by COVID, as organizations have been forced to shorten cloud migration timeframes to ensure business continuity during the pandemic. While the cloud continues to be one of the key business enablement tools for organizations post-COVID, what’s undoubtedly also true is that businesses still struggle to understand their security obligations in the cloud. That’s why we’re discussing the importance of having strong security policies and implementing them correctly as your organization migrates to the cloud.
Start with a cloud-native, security first mindset
Back in February, we published a post in ITProPortal talking about the importance of a security-first, cloud native mindset. Although businesses face mounting pressure to move to the cloud, especially after COVID, this pressure does not alleviate the need to secure the cloud. As the shared responsibility model common to most cloud services providers suggests, it’s wrong to assume that cloud environments are “secure by default.” This is because It is your organization’s responsibility to determine what security controls and configurations are sufficient for satisfying your organization’s specific data security and data compliance requirements. Failure to make this consideration will result in your organization relying on security through obscurity rather than practices and policies that actively improve your security posture in anticipation of cloud security threats. Much like you shouldn’t leave the front door to your house unlocked after going to bed, you should ensure your organization takes steps to secure its cloud systems. The cloud-native, security first mindset requires your organization to consider several things, including:
- What business functions are migrating to the cloud
- What types of sensitive data are central to those processes
- What settings and controls will be deployed to ensure visibility and protection of that data
- And finally how to implement policies that complement the settings and controls you seek to put into place.
Let your data guide which policies you maintain in the cloud
While understanding that security should be your first and foremost concern in the cloud, it isn’t enough to simply lift your existing security policies as they exist within your on-prem environment and try to force them to work in the cloud. With cloud environments having significant differences from other, more traditional environments, organizations may have to more or less redesign their policies from the ground up to work in the cloud. This redesign and implementation process should be data-centric, which means that rather than assuming what controls and processes should be in place, you determine which ones work best by taking inventory of the types of data you’re trying to secure. This should include the classification of the data as well as knowledge of the location of this data within your cloud environments and knowledge of which resources have access to this data.
The reason why a data-centric approach is favored in the cloud is because the cloud is parameterless and as a result, data in the cloud tends to be permeable. Data from the cloud can be accessed by or potentially stored onto any connected devices and as such, approaches that overemphasize network or endpoint modalities (which are myopically concerned with securing networks and physical assets) might fail to capture a holistic view of your security posture.
The specifics of how to build and implement a data-centric security program will depend on your compliance and security needs. For example, regulations like HIPAA explicitly require organizations to put access controls into place and document attempts to access protected health information (PHI). This effectively spells out the need for a control like data loss prevention (DLP). However, even in the absence of such requirements, some form of data classification and access controls for your data will likely be essential to your security program.
Invest in the right tools to manage data policies
Another important consideration is the question of how you intend to maintain the visibility and control necessary to monitor your data and implement necessary changes to your environment’s security. In addition to access controls and data discovery tools, security platforms like Nightfall DLP provide a centralized location for you to manage your data security policies.
The Nightfall platform provides a policy engine to coordinate machine learning detectors to alert on specific types of sensitive data and create appropriate workflows in response to these alerts. For example, in healthcare, data like names and addresses wouldn’t be considered protected health information (PHI) unless associated with a specific patient medical record. You might then choose to set a rule for our detectors in Slack to only have Nightfall alert on addresses when they appear next to another form of PHI like a name or social security number, thus more appropriately codifying what your PHI breach risk actually looks like.