Five Data Security Controls and Processes you Must Bring to Cloud-native Infrastructures

Too frequently, there are significant misunderstandings in organizations with regard to who has the responsibility to protect cloud-hosted data. In Imperva’s recent report, A Data-Centric Cybersecurity Framework for Digital Transformation, IT analyst and author Richard Stiennon explains what vendors of managed cloud-based services provide and what they do not. In this post, we’ll give an overview of the lines of responsibility for cloud-based service providers and the organizations using them. We will also summarize the requirements of the data protection framework that organizations must use to ensure that they protect their data in cloud-native environments.

What cloud-based managed services vendors provide (and do not) provide

1. Database Management: The cloud provider is responsible to maintain the database architecture. They must resolve issues created by new releases with the underlying technology provider. Managed database solutions offload the difficult work of maintaining an up-to-date license with the database software provider and provide flexibility to accommodate dynamic workloads.
2. Logging: Cloud providers provide telemetry on the network side and for database access. Customers get raw records of access to structured data that need work to make sense before they can show it to auditors.
3. Access Controls: Cloud-based service providers assist with privileged access controls. They are not responsible for customers’ central repository of identities and authorizations that tie into the cloud providers’ architectures.

Even basic data security requires efforts beyond simply keeping software current, activity logging, and the capacity for privileged access control. You need audit reports to demonstrate compliance, attempted abuse alerts and streamlined incident response. Cloud-based service providers have no responsibility for unstructured data – like spreadsheets containing sensitive information – nor do they discover and classify sensitive data or determine access rights based on its sensitivity and regulatory requirements, regardless of data type.

Five data security controls and processes you must bring to cloud-native infrastructures

1. Data discovery and classification. In addition to cataloging your digital assets in the cloud, most privacy regulations require you to discover and classify cloud-based dynamic databases and unstructured file repositories and applications containing sensitive information.
2. Access management. To enforce policy, you must apply granular privileged access management that is integrated with corporate policies and access management solutions. Limiting the number of queries or the amount of data to be downloaded will prevent abuse from authorized users and is the single best protection for any resource.
3. Anomaly detection. Contextual understanding of when an anomaly is inconsequential versus a real risk to data will reduce the flood of false positives usually associated with anomaly detection systems.
4. Encryption. While the cloud provider can encrypt its DBaaS and other data stores, a customer should have more control over encryption algorithms and key management.
5. Audit report preparation. This function saves weeks of labor and quickly obviates the need for extensive reviews of log records by auditors.

Scope a compliance framework for cloud data security

Applying a consistent framework across different cloud providers protects your data even in multi-cloud environments. Start with these points:

• Identify all types of data and the data repositories that hold them. Do this even in a dynamic environment where data sets are duplicated, backed up, restored, and deleted often. Map the network locations of the data and the network control points. Such discovery and classification of data (and the databases that hold the data) are specifically called for by both GDPR and CPRA.
• Protect the database from improper data creation, reads, updates, and deletion (CRUD). In SQL, for instance, the Data Definition Language (DDL) defines rules for CREATE, ALTER, and DROP actions. Apply a least privilege access policy. Require strong authentication for critical operations. Enforce network connectivity policies.
• Detect when policies are bypassed, or attempts are made to bypass policy that could indicate an attack. Monitor and alert on unusual behavior. Protections invariably serve as mere speed bumps to an attacker who seeks to gain access to an account with privileged access or exploit a zero-day vulnerability to gain access. Detection and alerting is a backstop to protection.
  Respond. Create a documented process to respond to improper data access. Answer the questions: Which roles are responsible for the response? What authorities do they have to act? What reports should be generated? Who should be notified (e.g., internal audit, executives, regulatory body, or law enforcement)? Use automated tools to react to breaches quickly, triage what happened, and what controls you must apply to prevent a recurrence.
• Recover. Make a plan to recover lost or compromised data and restore databases to their normal state. Recall the Office of Personnel Management (OPM), which recognized multiple attacks and breaches of its databases. They had put in a budget request for funds to build up their security. In the meantime, a group of state hackers breached and exfiltrated the entire database of records of everyone who had ever applied for a security clearance.

As we can see, we must build a layered defense model, and each component of cloud infrastructure brings its own security requirements. Cloud data storage typically comes with all the advantages of cloud transformation yet introduces requirements to discover, classify, and protect critical data stores. Be sure you take the necessary steps to secure it.
Get a complete copy of Richard Stiennon’s report A Data-Centric Cybersecurity Framework for Digital Transformation here.