June 23, 2022
Data Security in the Cloud: Is the Default Security Provided by the Cloud Service Provider Enough?
Moving a business’ operations to the cloud is supposed to make life easier. In addition to accessing the organization’s data and software from anywhere, centralizing platforms is supposed to bring a degree of security that most companies can’t achieve on their own (at least, not without substantial investment and time). And yet, there’s good evidence that increased security is frequently not the outcome businesses see.
The number and severity of data breaches have, on average, increased from year to year. Yet, the market for public cloud services has grown by 21.7 percent or more every year since 2018. Something’s not right with this story, and companies need to figure out how to protect user data and optimize their data security in the cloud.
Are cloud environments really more secure?
Two statistics tell the story of cloud security. Google Cloud reports that one of the banks on its platforms “detected a data breach and found the individual responsible within two weeks.” Another bank on the same platform took over a year to discover the same breach. The difference in detection time is strange, but the picture is even murkier than it appears at first glance.
Counterintuitively, data breaches cost more on a public cloud, averaging $4.80 million, compared to $4.55 and $3.61 for private and hybrid clouds. Seemingly, increased reliance on a highly-secure public cloud would lead to better security, but that’s not the case in reality.
The puzzle is solved when one considers the steps required to secure all that data in a cloud environment. It’s not the tool itself that provides the value, but how it is used disproportionately affects the value. When it comes to the cloud, the tools themselves have tremendous potential, but how they are used—and how securely they are used— increases or diminishes that potential.
The common mistake that companies make is assuming that the security actions they need to take are taken care of by the cloud platform provider. That’s not an accurate statement.
Securing cloud environments: On vs. In the cloud
Cloud providers are primarily responsible for “data security of the cloud.” That means they work to secure the hardware and networking infrastructure and compute, storage, database, and networking resources.
The customer is responsible for “data security in the cloud.” According to Amazon, this includes:
- Operating system, network, and firewall configuration
- Platform, applications, identity, and access management
- Client-side data encryption and data integrity authentication
- Server-side encryption
- Networking traffic protection
- Customer data
That list includes many things that a company might not realize they’re on the hook for when signing up for a cloud platform. And while the configuration of the platform itself is critical, it’s worth noting that Amazon assigns “customer data” a footing equal to the others on this list. How you treat your customer data has a massive impact on the success or failure of your security operations.
Cloud environments and data privacy laws
The convenience of accessing data in the cloud means that companies often do things with it that they wouldn’t otherwise attempt, and sometimes without fully thinking things through. With a data warehouse or data lake in the cloud, you can now share data more easily between departments in your company and aggregate more data than ever. It’s easier to trade and share data with other companies and have third parties process that data to extract additional insights that you wouldn’t have on your own. You can move data from country to country with just a few clicks and finally give your employees the visibility into your processes that they need to be truly agile.
The problem with nearly every benefit in the above list is that it will at some point constitute a legal violation for one or many of the ever-growing constellation of data privacy laws. A fundamental part of many new data privacy laws is that companies must explain how they’re using their data to their users. And when companies are sloppy in tracking how the data they collect is used, it can become challenging to fulfill that requirement, and can lead to critical cloud security issues.
Steps companies should take to secure data in the cloud
The specific steps a company should take to secure its data in the cloud will vary based on the setup it uses, the data types involved, and the certifications and legal requirements the company needs to meet. Despite those differences, there are a few common steps that all companies should take to better secure their cloud data.
User Access Control
Companies should control which users have access to which parts of their cloud, but they should also have a system in place to make sure that data is only shown to the employee classes who need it to perform their job. This process makes data more secure in the event of a breach, but it also limits the damage of an employee leak, whether intentional or not.
One powerful method of controlling how employees access data is data masking. If you’ve ever seen the initial digits of your social security number blurred out on a form, you’ve seen data masking in action. A big part of the utility of data masking is that it can be deployed without redesigning your frontends to accommodate the changes.
Third-party data analysis can be extremely valuable, but it’s a great way to get in legal trouble. Anonymization allows companies to share their data more freely by modifying it so it cannot be traced back to the user who created it. However, this sometimes alters the data and destroys the relationships between data points, ruining analysis. More advanced anonymization processes create synthetic datasets that preserve the original relationships between data points without containing any original data, making them safe to transfer outside the company for analysis.
Encryption and Tokenization
Encrypting your data while it’s at rest protects it from unauthorized access and is especially useful if your systems are breached, as the attacker wouldn’t be able to make sense of the data they gathered. Likewise, tokenization allows programs to substitute a “token” full of data that doesn’t need to be secured for secure data in repeat transactions. This means that data intercepted in transit won’t contain any sensitive information, even if its encryption is broken.
How Mage creates cloud security
While applying all these cloud security methods may feel overwhelming, companies don’t have to approach the issue alone. Mage helps companies create a nuanced approach to securing data in the cloud that gives them protection for their specific workload without disrupting daily operations. From advanced data discovery to masking, anonymization, and database activity monitoring, Mage has the ability to power any company’s cloud data security operations. To learn more about Mage and see what we can do for you, schedule a demo today!