In this white paper A Cybersecurity Framework for Securing Cloud Data for Digital Transformation, analyst Richard Stiennon of IT Harvest explains that while cloud vendors supply a resilient and secure infrastructure, organizations who put data into the cloud are ultimately responsible for compliance and security of the data. He explains some of the compliance and security risks that pertain to cloud-hosted data and recommends a NIST-based cybersecurity framework to protect it.
Digital transformation has swept through enterprise infrastructure accelerated by the exodus from the office wrought by COVID-19. While employees work from remote locations, organizations are moving applications to the cloud and corporate networks are fading away. Data security is one element of cloud transformation that is too often overlooked in the rush to improve user access and experience. Lack of industry cloud security and compliance frameworks stall attempts to shore up defenses, leaving companies vulnerable to attacks as well as audit failures. This white paper proposes a security and compliance framework to be applied to cloud data.
In a modern cloud architecture there can be thousands of data repositories and hundreds of collectors and applications that access the data. One data store now being offered by cloud platforms is a database as a service (DBaaS) now generally referred to as managed database services. Managed database services are rapidly displacing self managed instances of stand alone databases in the cloud. Major cloud services have introduced elastic pay-as-you-go services. While some of the security requirements have been subsumed by these providers there still remain critical security controls, including those for detection and response, that must be applied to protect data and comply with regulatory mandates.
The major cloud platforms take care of the following components of security for their managed database offerings:
Database Management. The cloud provider is responsible for keeping each database solution up to date. Any issues with a new release is their issue to work out with the underlying technology provider. Managed database solutions offload the onerous task of maintaining an up-to-date license with the database software provider, and provide elasticity to accommodate changing work loads.
Logging. Cloud providers are wired for providing telemetry both on the network side and for database access. But having raw records of access is a far cry from having something you can show your auditors.
Access Controls. In addition to taking over all the physical access protections, the cloud provider assists with basic security like access controls. Yet, if an organization has a central repository of identities and authorizations it is their responsibility to tie that into the cloud provider’s systems.
Additional cloud data controls and processes
It is up to the customer of a cloud service to deploy additional controls. These include:
Data discovery and classification. Databases, unstructured file repositories, and cloud applications tend to grow and expand. Many organizations cannot even catalog their digital assets in the cloud. Thus, discovering all DBaaS instances and unstructured data files with sensitive information and classifying them for their content becomes important, and is required for most privacy regulations.
Access management. Controlling access is the single best protection for any resource. While managed database services provide some access control it is a better practice for each organization to apply granular access that is integrated with corporate policies and access management solutions.
Anomaly detection. Along with policy enforcement, anomaly detection is the first line of defense for breach detection or discovering improper usage.
Encryption. While the cloud provider can encrypt its DBaaS and other data stores a customer should have more control over encryption algorithms and key management.
Scoping a compliance framework for cloud data security
The following components of a cloud data security and compliance framework are aligned with the NIST Cybersecurity Framework. A consistent framework applied across different cloud providers will provide protection even in multi-cloud environments.
Identify the types of data and the data repositories that hold them. Do so even in a dynamic environment where data sets are duplicated, backed up, restored, and deleted often.
Protect the database from improper data creation, reads, updates and deletion (CRUD).
Detect when policies are bypassed or attempts are made to bypass policy that could indicate an attack. Monitor and alert on unusual behavior.
Respond. Have a documented process in place to respond to improper data access. Answer the questions: Which roles are responsible for the response? What authorities do they have to act? What reports should be generated?
Recover. Recover lost or compromised data. Restore the database to a trusted good state. Apply additional controls to avoid a repetition of the incident.
Overall Recommendations
- Build on the cloud data security and compliance framework. Use the framework as the high level and add granular controls to enforce each requirement: Identity, Protect, Detect, Respond, Recover.
- Apply across clouds: private, AWS, Azure, GCP, and the myriad of others used, as well as ensure parity with your on-premise policies.
- Choose third party security and compliance solutions that fit into the Framework and enable you to accomplish each requirement in a simple and comprehensive manner – without causing major disruption or delay to the organization’s digital transformation objectives.
- Audit and measure compliance. Generate monthly audit reports regardless of the absence of any formal requests.
The move to the cloud, often termed Digital Transformation, has led to increased resilience and security for most organizations. Standardization, the ability to elastically patch, test, and restore servers, and visibility, are some of the contributing factors to better security. But a layered defense model is still required and each component of cloud infrastructure brings its own security requirements. Cloud data storage typically comes with all the advantages of cloud transformation yet introduces requirements to discover, classify, and protect critical data stores. Use this Framework to begin your cloud database security journey.
Get a complete copy of Richard Stiennon’s report A Data-Centric Cyber Security Framework for Digital Transformation here.
About IT-Harvest and Richard Stiennon
IT-Harvest is an industry analyst firm founded by Richard Stiennon, former Gartner Research VP and industry executive. A “seat” with IT-Harvest provides access to the Analyst Dashboard, a web app that reveals data on 2,850 cybersecurity vendors. Subscribers can consult with the analysts at anytime.
Try Imperva for Free
Protect your business for 30 days on Imperva.