Light Dark
November 3, 2015 By Luis Casco-Arias 3 min read
Cloud Security
Data Protection

The Problem With Securing Cloud Data

Security was already a complex topic. Then the cloud came along. The cloud, in any of its forms, offers an attractive price and performance alternative to the traditional data center. In some cases, it may even replace IT implementations altogether. Nevertheless, the cloud will have to support the same IT processes, services and best practices galvanized by years of experience running IT organizations. This is particularly true for data security and compliance services.

While clouds present an optimistic and attractive model for IT, there is a key caveat: Clouds offer different levels of ownership and outsourcing, which greatly complicate our approaches for ensuring data security. Data is the most critical asset for a company, but now it may be sitting in cloud data environments that are out of the enterprise’s control.

Think about how worried you are when the data is in your data center, managed by people you know. With the cloud, you might not even know where the servers are, who is sharing them, who is managing them or what processes are in place to protect them. The obvious question becomes, “What considerations should I make to protect my data so my organization can move securely and confidently to the cloud?”

Read the IDC white paper: A CISO’s Guide to Enabling a Cloud Security Strategy

Before starting, consider the best approach to protecting your data in general, and then ensure that those precepts are followed in the cloud environment.

A Risk-Based Approach

First, you need to understand your data. Not all data is the same, and you must allocate appropriate resources to the most important information. In terms of security, you need to reduce the risk faced by that critical data. There are two important dimensions to this effort:

  1. Business value: How frequently is the data used to run the business and by whom (e.g., a pricing and discount table used daily by pricers)?
  2. Risk: How sensitive is the data and what exposures does it have (e.g., is it on a server with default passwords)?

The answers to these questions will help determine the relevance of the data and how you need to specifically treat it in its life cycle, especially for security and compliance.

An ideal way to do this is through automatic discovery tools that show you where your sensitive data is, who has access to it and how risky it can be. Armed with this knowledge, it becomes easier to choose how to mitigate the risk with the right tools, such as encryption, masking, archiving, deleting and even tightening access control rules.

The final step is to continue to monitor access to your sensitive data in order to maintain a tolerable risk level, especially against misuse or abuse of privileged access.

Three Environments for Cloud Data

Cloud service providers (CSPs) can offer customers different levels of control or convenience with regard to the services they provide. To apply the risk-based methodology to the cloud, you need to consider the three main environments.

Infrastructure-as-a-Service

Infrastructure-as-a-service (IaaS) is where the CSP manages the virtual and physical foundation. The end customer can control all other components up to the application layers. This may be the simpler scenario to support for data security because the same on-premises security controls — such as discovery, classification, vulnerability assessment, encryption, masking, monitoring, auditing and blocking — can be applied.

Platform-as-a-Service

Platform-as-a-service (PaaS) is where the CSP additionally manages the middleware and runtime. The end customer only has control over how to manage the data and the application. New data-as-a-service options offer customers access to shared virtual database space. The customer controls the data put in these spaces and the applications that use it but can only apply data security controls that the CSP has allowed or that exist at the application layer.

Regardless of the data security services provided, customers need to ensure that they have control. For example, they should request to hold encryption keys or monitor consoles.

Software-as-a-Service

Finally, there is software-as-a-service (SaaS), where the customer is only a user of the service and the administration of the stack is left to the CSP. The customer has no control over what is done with the data. Dropbox and Google Docs are common in the mobile consumer space, and Salesforce is a well-known enterprise example. SaaS environments are the most difficult to control for data security because the data is at the mercy of the CSP. The end customer can only control it if the data is sent to the application encrypted or masked, and you still need to be careful not to break application logic.

For cloud environments, the more control you give to a CSP, the more you will be dependent on their security processes. Service-level agreements can be set to increase confidence, but you can always lower the risk the further down you go on the stack.

Learn how to optimize your cloud security model – Read the IDC Report

 |  |  |  |  |  | 
Luis Casco-Arias
Senior Offering Manager of Data Security, IBM

More from Cloud Security
November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 19, 2023

Endpoint security in the cloud: What you need to know

9 min read - Cloud security is a buzzword in the world of technology these days — but not without good reason. Endpoint security is now one of the major concerns for businesses across the world. With ever-increasing incidents of data thefts and security breaches, it has become essential for companies to use efficient endpoint security for all their endpoints to prevent any loss of data. Security breaches can lead to billions of dollars worth of loss, not to mention the negative press in…

October 3, 2023

The importance of Infrastructure as Code (IaC) when Securing cloud environments

4 min read - According to the 2023 Thales Data Threat Report, 55% of organizations experiencing a data breach have reported “human error” as the primary cause. This is further compounded by organizations now facing attacks from increasingly sophisticated cyber criminals with a wide range of automated tools. As organizations move more of their operations to the cloud, they must also become increasingly aware of the security risks and threats that come with it. It’s not enough anymore to simply have a set of…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature