Maksim Kabakou - Fotolia

Data leakage in the cloud – can data truly be safe in the cloud?

This month, the Computer Weekly Security Think Tank considers how CISOs and security practitioners should ensure that the business can make use of public cloud services safely and securely and avoid accidental or deliberate data leakage.

As organisations store and process data in the cloud, there are increasing concerns from administrators, data owners and CISOs’ around the possibility of misconfiguration or mishaps that lead to sensitive data being leaked – particularly to public cloud services that fall outside of the intended geographic region.

In 2019, Gartner predicted that by 2025, 90% of the organisations that fail to control public cloud use will inappropriately share sensitive data.

So how can building robust solutions utilising the full capabilities of cloud services better protect your sensitive data?

Get the basics right

Organisations adopt cloud to benefit from reduced costs, achieve greater business reach, process data quicker, and to grow faster. A pragmatic cloud transformation strategy with clear objectives is critical in setting an organisation on a secure and agile cloud adoption path. A significant part of this strategy is for organisations to adopt new security cultures that support how they operate in cloud environments.

This type of culture change should include a focus on data assets, their marking, handling and processing in the cloud services. Security awareness training is important to educate employees, especially IT staff, on cloud security best practices, the importance of correct configurations and the consequences of human-error mistakes. Organisations should also perform attack simulation for a data breach such as phishing attacks, to be ready to respond to any real threats and attacks.

Moreover, robust frameworks (e.g. SABSA, NIST CSF) must be in place to support an organisation’s data and security requirements, regulatory compliance and the data subjects. Key considerations should include: What, if any data sovereignty laws are in place? Do my frameworks address these? What are the threats?

Organisations would do well to implement well-structured lifecycle management and service architecture, which ensure that appropriate structures and procedures are in place to protect business data in line with legal/regulatory requirements. Techniques such as secure-by-design help bake security into the solution requirements and not just bolted on in the end.

DevSecOps ensures security becomes an enabler; it builds security capability right at the heart of the software development and continuously checks for issues from code to runtime. A data-centric approach (whereby the protection of data and access methods to it are prioritised, no matter where it is stored or used) to DevSecOps further enables developers, administrators and operators to better identity data, its uses, and how it is made available to the services that process it. Utilising processing environments, such as AWS Nitro Enclaves, protects data processed in the cloud and should be adopted where necessary.

Leverage AI and ML

Artificial intelligence (AI) and machine learning (ML) can operate at large scale, utilising learning, and can adapt to your data protection needs. By increasing automation, decision-making can be sped up for data bound for, or already deployed in, the cloud. It can be assessed and appropriately protected more rapidly. Cloud tools such as Google BigQuery and AWS MACIE use ML and AI to provide capabilities to help organisations better manage their data in public clouds and mitigate exposure of sensitive data.

AWS Config, Azure Policy, or Google Cloud’s Security and Command Centre also help automate the monitoring and enforcement of security policies. Implementing continuous monitoring solutions will detect and alert on misconfigurations, suspect access requests, and other security incidents in real-time.

In addition to automated monitoring and enforcement, the implementation of well-managed and regularly reviewed threat management allows organisations to be more proactive and agile in response to threats.

With the ability of cloud providers to assess vast amounts of data and threats, public cloud services are currently superior in leveraging AI than simpler on-prem security tooling.

Use zero-trust and IAM architecture

As the traditional boundaries dilute, identity and access management (IAM) that spans workloads, users, devices and organisations is required. Defining a clear zero-trust strategy implemented with the least privilege access control provides better accountability in operations, data centric access and further mitigates against human-error leading to accidental or deliberate data exfiltration. It improves granular monitoring and threat detection as you take advantage of conditional access rules and policies.

Improving data and implementing robust IAM solutions should be done in collaboration with regular security maintenance including regular compliance audits, security assessments, vulnerability management, security and functional testing, with findings managed and acted upon.

Zero-trust is a strategic approach that can significantly enhance your security, but it requires careful planning and an iterative approach to continuous improvement. While challenging, getting this right will be an important step in your hybrid cloud journey as it adopts a data-centric security approach which significantly improves data protection.

The challenge for CISOs and security SMEs to improve an organisation’s data security and management of sensitive data in cloud services must be business-driven, require cultural change, and the adoption of cloud data and security capabilities to succeed. The cloud is allowing us to re-examine our approach to security – and if we want to be successful in using cloud services, we need to exploit the rapid security innovation that is taking place because of it. 

Scott Swalling is a data and cloud security expert at PA Consulting. A new Think Tank contributor this month, he is a security architect with over 20 years’ experience in the field, having worked for both the Australian and British governments, and in the financial services, mining, pharmaceutical and space industries.

Read more on Cloud security