Data breaches on the cloud are frequently in the news. However, the causes for data breaches are sometimes ambiguous - a "misconfigured database," "an open resource," or "mismanagement" by an unspecified "third party." Because of the ambiguity around these breaches, securing the company may appear to be riskier than it is. The problem isn't with the cloud's security; it's with the regulations that govern the security and governance of the infrastructure and data. It is almost always the responsibility of the organisations employing the cloud who fail to manage the measures intended to protect an organization's data that we read about in the press.
By changing your line of questioning from “Is the cloud secure?” to “Am I managing the cloud securely?” As the public cloud is a shared responsibility platform, businesses must understand their part in securing data.
Hidden Data Risk
Implementing controls around what has access to data is fundamental to any data security and compliance program. Although each unique cloud provider delivers services and APIs to manage identity and access to information for their stack, they are different across all the stacks available (e.g., AWS, GCP, and Azure), do not address third-party data stores, and often require the use of low-level tools and APIs.
Unfortunately, many legacies data security and access control solutions do not align well with existing and emerging public cloud provider technology stacks. In some cases, they do not align at all. Taking a legacy approach means your organization may not have access to identity configuration risks, public data exposure, and excess privilege risks across cloud providers, accounts, countries, teams, and applications.
Failure in Data Classification
Protecting data has become ever more paramount to the success of entities, both large and small. For example, one of the most critical aspects of protecting information is that it requires data owners to classify what information is essential for business operations. This process is “data classification” and can be difficult for the people in charge of protecting an entity’s most critical asset – its data. Complicating matters are multi-cloud environments that provide disparate cloud security models. If data classification is a foundational requirement for cloud security, why does it fail?
Failure to Understand Critical Assets and Resources
Among the first questions, cloud security professionals should be asking themselves when tasked with classifying data is “What is my data?”, “Where is my sensitive data?”, “What information, if made public, would be detrimental to the business as a whole?”, “Who can access this data?” and “When did they access it?” In other words, asking these questions should be fundamental to any risk management strategy. The end goal of a risk assessment should be to identify critical assets and the risks associated with them. Identifying the risk helps enable security teams to classify better, including which data is necessary to protect and at what level of protection is best.
One of the most common mistakes with tagging data is mislabelling. To overcome this risk, sound, experienced, and trusted professionals should administer the process while working with all levels of senior management, as well as key process owners, to ensure proper resource allocation for protection.
Emerging Identity and Data security solutions, like Sonrai Dig, solve this challenge via a heterogeneous security and control framework across cloud stacks. Tools can ensure critical aspects of data security (including audit, identity and access management, data access, and compliance) are effectively managed in a single provider cloud or multi-cloud implementation. Cloud provider management models normalize data with centralized analytics, including data views across hundreds of AWS Accounts, GCP Projects, and Azure Subscriptions.
Limitations of Manual Auditing
Teams undertake manual security auditing after months of harmful activities have already occurred, making the value of manual efforts debatable in terms of regulatory compliance or assessing real risk. For example, there could have already been an incident between audits due to a risk that went unnoticed.
Assessing past procedures and processes positively impacts future activities. Of course, your organization shouldn’t halt these practices before implementing continuous auditing. Therefore, continuous auditing will enable you to take more immediate action against risks by continuously mapping permissions, managing configurations, and controlling access to data. With a new ongoing audit approach, data sovereignty, data movement, and identity relationships are monitor and report to ensure conformance to the sovereign, GDPR, HIPAA, and other compliance mandates. Drift detection on identity, data store, or a particular resource is anything that strays from a security baseline.
Lack of Contextual Insights
Context is most often determined by how a piece of compute is utilized. Many organizations are missing contextual insights when it comes to their cloud. It’s simple – your cloud environment cannot enforce granular access controls to identity or data effectively without understanding. It is based on the least privilege security model, using behavioural controls to detect and prevent theft. All changes implemented (via console, provisioning tools, or programmatically) are detected and continuously monitored for configuration mistakes.
Integrating Data Security into Your SDLC Approach
SDLC approach enables enterprises to continuously discover, manage, and monitor the activity of every unique person and non-person identity operating in their clouds. It ensures appropriate alerting of security and infrastructure teams to areas of unexpected or excessive risk. Critical aspects of a lifecycle approach include the ability to:
Discover risk by uncovering who people and non-people (identities) are doing what (access/actions), where (resources), and when (context) across your public cloud infrastructure.
Classify and manage risk to least privilege by ensuring identities have the least number of permissions needed to perform daily tasks – and no more
Monitor risk by continuously monitoring changes in identity activity (context/behaviour) and prioritizing alerts based on defined risk criteria
Protect data and access by using behavioural controls to detect and prevent theft, misconfigurations, and other risks.
Discover Your Risk
You can’t protect what you don’t detect, which is why granular visibility is essential. It starts by uncovering all unique people and non-people identities in your enterprise’s cloud infrastructure, what effective permissions they can execute, what actions they have executed, and which non-people identities/ resources they have accessed.
Hybrid and multi-cloud environments require a solution that can abstract, collect, normalize, and present historical identity activity in a single, unified, consumable format. Only with this clarity and insight can organizations begin to understand and mitigate the risk that over-permissioned identities pose.
Your identity and data solution should reduce risk, ensure compliance and increase operational efficiencies through:
- Risk and security monitoring. Identity configuration risks, public data exposure, and excess privilege report across cloud providers, accounts, countries, teams, and applications.
- Compliance Enforcement. Frameworks covering regulations and industry-recognized controls provide you with the ability to create your own frameworks to meet your organization’s exact needs.
- Drift Detection. Detect drift on identity, data store, or a particular resource to ensure compliance is baselined, monitored, and continuously met.
- DevSecOps multi-cloud efficiency. Cloud provider management models are normalized with centralized analytics and data views across hundreds of AWS Accounts, GCP Projects, and Azure Subscriptions.
- Misconfiguration Prevention. All changes implemented (via console, provisioning tools, or programmatically) are detected and continuously monitored for configuration mistakes.
Classify and Manage Your Risk
Your identity and data security should provide context along with combined visibility of current and historical activity. Implementing controls around what has access to data is fundamental to any data security and compliance program. Although each unique cloud provider delivers services and APIs to manage identity and access to data for their stack, there is not standardization across all the stacks available (e.g., AWS, Azure, Google Cloud, and Kubernetes), do not address third-party data stores, and often require the use of low-level tools and APIs. Your identity and data platform should resolve this problem through normalized views and control of cloud identity and data access.
Approaches to managing the risks of identities with excessive permissions may vary from vendor to vendor. Still, your platform must manage controls that account for the disparities among the cloud service providers. For example, organizations should have the option to either create or design custom least privilege roles. They can be based on the historical activity, including the option to remove unused or dormant permissions directly from a high-risk identity.
Automating remediation and prevention is critical, especially as the complexity of managing multiple cloud operating models grows. This automation is about continuously maintaining least privilege policies and controls across an enterprise’s environment without reducing productivity. For example, dormant identities over 90 days can be automatically removed.
Audit and Monitor Risk
To maintain control and security within and across clouds, enterprises need consistent, up-to-the-minute information. In your environment, there are tens of thousands of identities active at any one time. Those identities can be accessing tens of thousands of resources. As a result, ephemeral identities and data create a complex environment. It is nearly impossible to monitor without robust capabilities for continuous auditing.
Enterprises should be able to monitor their cloud infrastructures from a multi-dimensional perspective continuously. For example, monitoring activity through the “identity lens” enables teams to track changes based on activity. Also, it helps you quickly ascertain which permissions have been used, which permissions have not been used, and which resources identities have been accessed over time.
Another example, monitoring activity through the “data lens” enables security and cloud infrastructure teams to track access based on context. Therefore, quickly ascertain which data was accessed, which identity accessed the data, and when it was accessed. Continual monitoring of activity data is critical. It provides the context necessary to detect drift or anomalous behaviour, such as an identity that suddenly accesses sensitive resources.
Protect Data from Risk
For instance, your cloud security platform should normalize data with centralized analytics. Your platform should have views across hundreds of accounts and subscriptions/resource groups to streamline governance for DevOps and Security teams. Operational capabilities should trust models of all activity and relationships across cloud vendors, accounts, and third-party data stores. All views pivot on cloud provider, country, cloud accounts, application, or data store to provide deeper context.
Find the Right Tool
With cloud security data breaches making headlines, organizations need to share sensitive data without compromise or incident appropriately. Therefore, implementing controls around what has access to data is fundamental to any data security and compliance program. Finding the right tools to meet your security standards can be easy if you know what you want. Despite their best efforts, legacy approaches fall short in functionality. You must confront identities as the new perimeter, including excessive permissions.
(This is a slightly modified version of an article originally published in Security Boulevard. The original article can be found at https://securityboulevard.com/2021/08/building-a-secure-cloud-strong-data-protection/)