The biggest security problem with protecting data on a cloud is that there isn't just one cloud.
The typical enterprise has relationships with several cloud platforms, the official ones that IT approved as well as the shadow connections made outside of IT. Beyond that long list, however, a company has to contend with the hard reality that every cloud platform handles security differently, precluding an all-encompassing approach to cloud security.
The best—and simplest—way to sidestep that hurdle is to protect all data before it leaves the enterprise. With end-to-end protection, it doesn't matter much how a cloud service protects data, because sensitive data elements will be rendered useless to hackers.
This data-centric approach of applying a fine-grained level of protection to all intellectual property is ideal for the mixed environments of legacy on-premises systems found in a typical enterprise—even if the business is shifting many internal workloads to the cloud. The approach also makes sense because of employees using unsecure remote sites with porous networks and unknown IoT devices.
Anonymizing, encrypting, or tokenizing data, no matter where it is or how it is used, is more effective—as well as more cost-effective—than trying to protect data with some version of a wall. Security walls add complexity, costs, and administrative overhead. More importantly, they often don't work well. Cyberthieves love walls because they can almost always be overcome. Thus, data protection often boils down to a cost-benefit debate: "How much is the data worth to the hacker?", when considering his time and resources. Most of the time, if the data is important enough for an organization, it will be valuable enough for the attacker to cost-justify crashing through the wall.
But why else should enterprises change their security approach now? The reality is that the data landscape CISOs are charged with protecting has dramatically changes, forcing a different defense strategy.
It's not just employees using their own devices and working from remote sites. It's how they're using the devices. For one, cloud deployments (both authorized and shadow IT) of all kinds are increasing, along with more IoT applications, both in corporate buildings and consumer-grade at remote sites. Another key change is the creation and distribution of data, as it is mostly being done with less-than-complete visibility at the IT-security level, regardless of mobile device management (MDM) choices. On top of it all, organizations also lack coordination of data-centric security policies and management across data silos, resulting in inconsistent data-policy implementation and enforcement.
The only practical way to defend all worthwhile data is to make the data worthless to attackers. Assume that any theft attempt will be successful, but strictly deploy a data-centric approach to protect the data anyway.
Data-centric security should revolve around six areas: data discovery; centralized security-policy management; user privilege and activity monitoring; auditing/reporting; data classification; and fine-grained data protection. Here's a look at each:
The biggest enterprise security problem today is the absence of an accurate, comprehensive and current data map. There are many reasons for this, including acquisitions and mergers, shadow IT, and mobile communications. But data discovery is the best method to at least get some rough sense of unknown datasets in the enterprise environment. If your people don't find the data, cyberthieves and regulators will.
As noted, cloud technology, remote sites, IoT devices, and recently acquired business units bring intense complexity to security management. The only realistic way for enterprise security to keep on top of data protection is to have one set of security policies and apply it universally. This will overcome the disparate security approaches of cloud vendors.
User privilege needs to be routinely monitored, as job changes can create phantom privileges, or, an end user's credentials can provide greater access than the person needs. Also, activity monitoring is critical in a zero-trust environment. Typically, a key part of a continuous-authentication approach, activity monitoring is the only way to catch either a legitimate employee who goes rogue and tries to steal from payroll or a clever outsider who was able to fool the initial identification effort.
Auditing and reporting are backbones of a modern security system. They're also a key part of a zero-trust mindset: Regardless of security mechanisms in place, an organization should always audit to catch what initially slipped through.
Arguably the most complicated step, for it requires executives to truly think through all elements of data-access, just as though they were re-creating the enterprise's entire security strategy (which, for all practical purposes, they are indeed doing). Data classification starts with who needs access to review data and who needs access to manage data? What legal and regulatory requirements exist that will impact these decisions? What is the data value and where is data stored?
But it goes way beyond that. What data is truly needed? And if that data is truly needed, is it needed once, twice, or repeatedly over an extended period of time? Many of today's best analytics efforts—including machine learning—need less data than they did a few years ago.
Those analytics have to deal with the quintessential signal-to-noise ratio, with "signal" being usable data and "noise" being irrelevant data. Beyond the traditional security argument that data-not-stored is data-that-can't-be-stolen, saving non-essential data can cost money, take up resources, and make analytics slower and possibly less accurate given the signal-to-noise reality.
This is another critical area. It means providing access based on the latest requirement for the use case, and although this is a long-held best security practice—give the lowest-level privilege possible for any function—it is often ignored. More critically, access is highly vulnerable to orphaned privileges, which happens when an employee changes function (often through promotion) and no one bothers to review privileges and remove those no longer needed. Enterprises tend to be excellent at removing all privileges from those who have left the company for good, but not for those who are assigned a new role.
Fine-grained data protection should also include time-based access control, and data decisions: Compliance isn't static. Compliance delivers two unrelated rotating balls: The compliance rules (for every state, city, country, or vertical industry) are changing constantly, and the typical enterprise routinely gets into and out of different compliance situations. Those compliance changes don't merely take place when a merger or acquisition happens, but also when an existing division adds or removes a product line or when employees and contractors shift roles.
There are many ways to protect data, but the key concern for data-centric security is selecting the appropriate methods for each of your data types and then sticking to that choice. Once classified, sensitive data must be protected consistently. Silo-based approaches leave gaps in capability, management, and controls. That means that a centralized and fixed policy must be applied to data across all silos.
With the complexity of today's networks, a data-centric approach is something that all organizations should seriously consider.