“Cloud security” and “cloud data security” sound close to each other. They may even be confused with each other in the light of our recent conversations of significant breaches in cloud infrastructure providers like Microsoft. The distinction is as follows:
Cloud security refers to the security used for the cloud infrastructure, including the security of the network in the cloud, the operating systems, and the applications provided. A vulnerability in any of these applications can cause a breach. There are numerous examples of data breaches where the underlying reason was that the cloud service provider did not take adequate care to protect its infrastructure.
Security of data on the cloud, however, is a related but a different matter. Even with the cloud infrastructure being completely secure, enterprises can still suffer a breach. These include breaches related to misconfiguration (https://securityboulevard.com/2020/01/microsoft-leaks-250m-customer-details-in-azure-fat-finger-faux-pas/) as Microsoft itself realized painfully.
These could be due to identity being compromised, devices connected to the cloud being compromised, malicious employees, and a million other reasons. Moreover, as enterprises start using their cloud applications with external agencies like vendors, contractors, and suppliers, the breach might happen after the data has left the cloud and moved into the vendor agencies’ systems.
Post the SolarWinds attack and the Mimecast certificate breach, the outlook towards data moving or residing on the cloud needs to change. Security teams need to focus on how to reduce third-party data exposure in their cloud environment. The research conducted by the Wiz Research team about permissions provided to third-party vendors in cloud environments is an eye-opener:
- 82% of companies provide third-party vendors with highly privileged roles, which poses a significant risk to sensitive data.
- 15% of vendors receive extensive write-permissions that allow them to modify documents on the cloud
- 90% of cloud security teams are unaware of permission levels given to third-party vendors.
Enterprises must understand that the security of the cloud infrastructure is the cloud service provider’s responsibility, but that doesn’t transfer the responsibility of data security on the cloud! Enterprises must take measures to protect data going to the cloud themselves. Taking a data-centric approach to the cloud data security is the only option here, which may include:
- Reduce data going to the cloud: Many times, it’s possible to simply remove the data stored in a cloud service if it is not required to be there.
- Detect and classify data going to the cloud: This is a standard functionality in any Cloud Access Security System (CASB) systems and some DLP systems, too, but there are also specialist discovery and classification systems that provide this functionality for cloud applications.
- Encrypt data and embed security controls into the data: Encryption and rights management systems integrate with CASB systems and cloud services themselves to automatically encrypt the data and embed granular usage policies into the data.
This three-part process can help enterprises protect data going to the cloud and beyond to employee homes and external agencies. This approach also means insurance against cloud security breaches since the breach of the cloud infrastructure will not mean a breach of the data stored in the cloud infrastructure. So, the next time Microsoft’s email service is breached or your file sync and share provider is compromised, enterprises can rest assured that their data is still safe!