We are in the midst of the biggest computing transformation ever, bigger than the once renowned shift from mainframe to client-server computing. Every day more data and more applications move to the cloud. However, too many organizations are operating their environments in the dark.
It seems like there’s a new cloud data breach hitting the headlines every day. A 2021 study conducted by 451 Research reported that 40% of organizations in the cloud experienced a cloud data breach within the last 12 months. A 2020 study conducted by IDC estimated that 80% of organizations had had a cloud data breach within the preceding 18 months. At the same time, the scalability and cost benefits of moving applications to public cloud environments are so big that companies are moving to the cloud anyway.
There are steps you can take to protect your data and cloud applications. Here are 5 things you should do to protect your cloud application and avoid being the next cloud data breach.
- Track your confidential data everywhere it is kept.
Monitor and classify the data in your cloud storage — whether it is File, Blog, Queue in Microsoft Azure; Standard, Nearline, Coldline, Archive in Google Cloud; Smart, Standard, Cold, and Vault in IBM Cloud; or S3 Buckets in AWS. Don’t just look at these standard cloud storage locations. Monitor your databases. Monitor your persistent volumes in Kubernetes.
Put a system in place that will automatically scan, classify, and tag data such as personally identifiable information (PII), payment card information (PCI), healthcare data, design documents, or source code so you always know where this type of data is in your cloud.
This is a great opportunity for cloud operations to connect with the data protection office to see if you can extend your enterprise data loss prevention (DLP) classification policies to your cloud environment.
- Track and control access to your confidential data.
Once you can detect your confidential data, automate discovery and remediation of public links to that data. Detect if you have promiscuous internal access enabled for locations that contain sensitive data. Detect if an external third party has access to your data. Set up a system that will recognize and block risky user and service account access behavior such as multiple failed login attempts, access from unusual locations, and abnormal downloads or encryption activity. Set up protection that can automate and make it fast to remove risky access permissions and block high risk accounts.
Work with your cloud security team to put a system in place to continuously monitor access permissions and user behavior associated with any application, location, or service that contains confidential data.
- Enable runtime visibility and control over your networked microservices.
Know how your microservices are connected inside your application. Continuously watch for high risk east-west movement of confidential data and for abnormal network activity. Detect and isolate rogue workloads and APIs if they appear. You want to know if PCI data is flowing outside your PCI zone or to an unauthorized API or third-party service. You want to detect and mitigate a DDoS attack in runtime when it happens.
Have your DevOps team deploy a service mesh such as istio with your Kubernetes environment to monitor and control east-west network traffic within your cloud. Set up cloud protection that works with your service mesh that can both alert you to risky traffic and can quickly block or redirect traffic to microsegment your environment fast if you are under attack.
- Mitigate the risks of misconfigurations and vulnerabilities by tracking and prioritizing them within the context of your runtime environment.
You may ultimately find yourself with long lists of vulnerabilities and risky configurations to consider. Sometimes these lists are simply too long and you don’t have enough man-hours to address everything. Sometimes there isn’t a fix available for a vulnerability. Sometimes your system is designed in such a way that you can’t fix a vulnerability or remove a risky configuration.
Use a protection platform that will show your vulnerabilities and misconfigurations associated with the affected workload in the context of your networked application and if that workload processes confidential data. You should prioritize the security posture of these workloads over less connected workloads without confidential data. This will be key when you find that you cannot fix every risky configuration or vulnerability that pops up.
- Continuously assess your compliance posture with runtime visibility.
Use runtime compliance scanning as a tool to keep your cloud security posture in a healthy state. It is a strong tool for prioritizing security initiatives. Plus, if you have a report that is continuously up-to-date, you will already have the report you need when a compliance reporting cycle comes around.
There are a number of tools to consider to protect your cloud environment and your data. Look for a cloud-native protection platform (CNAPP) that includes data loss prevention (DLP) and data classification capabilities if your goal is to protect your data. Even better if it can use the same DLP policies that you are using across your enterprise. Look for a CNAPP that operates in runtime with automated alerts and network controls if you want to keep your applications running even if they come under attack. Set up a system for cloud security posture management (CSPM) and cloud workload protection (CWP) that presents your misconfigurations, vulnerabilities, and compliance within the context of your running environment and the sensitive data it contains. Finally, simplify as much as you can by looking for agentless deployment options.