Cloud security: not a bug, but a feature
You can’t govern what you can’t measure. Do you know what data is being handled, and by whom?
The digital world has seen an evolution – migrating to the cloud and going mobile – but the security technologies designed to protect the data continue to operate as though there are defined digital boundaries to the business world. So says Michael Brink, CTO, CA Southern Africa. “The reality is you can’t contain data today – it’s literally everywhere.”
While the cloud may be more convenient, always-on connectivity requires new considerations and one of the biggest challenges of cloud security is that the perimeter hasn’t simply shifted, it’s no longer clearly defined. And without clear perimeters, organisations are facing new risks of data theft and loss. As-a-Service platforms and hybrid work also increases an organisation’s risk and exposure.
“If you go into the cloud, your attack surface becomes a lot broader than you would with your data onsite,” says Ignus de Villiers, group head of cybersecurity at Liquid Intelligent Technologies. A highly-connected cloud environment can also lead to insecure APIs and account hijacking.
“Traditional security controls, which exist in a company’s datacentre, have no visibility into this activity. They are unable to monitor, control, or protect the data the moment it’s outside the company’s direct control,” says Brink. What’s needed, he adds, is a modern approach to this modern data protection problem – a solution that can implement consistent controls and security, regardless of how data is accessed and where it is stored. “A modern data loss prevention (DLP) solution, delivered as part of a cloud-based web security gateway, can provide continuous monitoring and protection of sensitive data on-premises and in the cloud,” he says.
Sherelle Farrington, Fortinet’s cloud security solutions manager, says cloud adoption is being driven by the business and the business wants to use whichever cloud platform is right for each digital initiative.
“Simplifying the complexity of cloud security and ensuring a seamless user experience in the move to cloud are critical. Cloud security must address diverse attack vectors, across diverse platforms.”
A finding from World Wide Worx’s Cloud in Africa 2023 study is that cloud security is no longer a barrier, but a benefit. More than half of respondents cited improved security as the biggest benefit of the cloud. “I believe we’re overdue for a shift in understanding that cloud deployments can be secure if properly implemented. According to the statistics in this research, the cloud provides peace of mind as well," says Ian Jansen van Rensburg, lead technologist at VMware SSA.
Seven ways to safeguard sensitive information in the cloud
“Every organisation with digital capabilities faces data protection concerns around targeted cyberattacks, digital transformation and privacy laws,” says Michael Brink, CTO, CA Southern Africa.
1. Secure sensitive data by using data loss prevention (DLP) technology delivering protection that should mitigate data breach and compliance risks while providing total visibility and control over the information everywhere it goes.
2. Manage regulatory compliance risks by identifying sensitive information types upfront by means of predefined policy templates supported by an extensive library of data identifiers. This allows you to monitor for policy violations and enforce data protection policies that will facilitate control over where sensitive information can live and travel.
3. Better understand where your sensitive data lives in the cloud by scanning service endpoints. Network file-sharing and data repositories with content-aware detection technologies will make it possible to reduce false positives and false negatives, while ensuring that you are discovering confidential information virtually in any location and file format.
4. Ensure you’re able to monitor data usage and movement across all channels to and from the cloud. This creates awareness on how sensitive data is used. This includes what data is being handled and by whom, scanning devices, shares as well as sanctioned and unsanctioned cloud apps such as Office 365, G-Suite, Box, Workday and Salesforce.
5. Prevent insiders from exfiltrating sensitive information such as customer records and product designs by being able to continuously monitor risky user behaviour across control points and deterring users from leaking data with capabilities such as real-time blocking, quarantining, and alerting.
6. Conduct in-depth user entity behaviour analytics (UEBA), assign risk scores to people and behaviours, block or route email to encryption gateways for secure delivery and apply policy-based encryption and digital rights to specific files.
6. Consider a data-centric security framework such as Zero Trust that is based on the principle that organisations should not automatically trust anything inside or outside their perimeters without first verifying the identity and trustworthiness of those trying to connect to its resources before granting the access.
Five steps to multilayered data protection
With the increased use of cloud computing, safeguarding sensitive information has become more important than ever. Philip Francis, an IT manager at Obscure Technologies, addresses the security challenges that come with cloud computing with a multilayered approach to data protection.
1. Access control
Limit access to sensitive information to authorised individuals. This can be achieved by implementing user authentication and authorisation mechanisms, such as passwords, biometric identification, and multifactor authentication.
This involves converting sensitive information into a code that can only be read by someone who has the decryption key. This means that even if sensitive information is accessed by unauthorised individuals, it will be useless without the decryption key. Encryption can be implemented at the file, database level or even at the application level, providing an extra layer of security.
3. Data backup and recovery
Backing up data can be used to recover the original data in case of loss or corruption. Data recovery involves restoring the original data from the backup. Both backup and recovery are critical in ensuring that sensitive information is not lost due to hardware failures, natural disasters, or cyber-attacks.
4. Monitoring and logging
Monitoring and logging involves tracking access to sensitive information and recording any suspicious activity. This helps to detect unauthorised access and prevents further damage. Monitoring and logging can be implemented at network, application, or user level.
5. Physical security
Physical security means protecting the physical infrastructure that hosts sensitive information. This includes measures such as access control, surveillance, and environmental controls. Physical security is critical in preventing physical theft, damage, or destruction of sensitive information.
What is needed is a modern approach to this modern data protection problem.Michael Brink, CTO, CA Southern Africa
“Safeguarding sensitive information in the cloud requires a multilayered approach to data protection,” says Francis. “Each layer of data protection provides an additional layer of security, making it more difficult for unauthorised individuals to access sensitive information. By implementing access control, encryption, data backup and recovery, monitoring and logging, and physical security measures, organisations can ensure that their sensitive information remains secure in the cloud.”
* Article first published on brainstorm.itweb.co.za