Light Dark
November 3, 2015 By Luis Casco-Arias 3 min read
Cloud Security
Data Protection

The Problem With Securing Cloud Data

Security was already a complex topic. Then the cloud came along. The cloud, in any of its forms, offers an attractive price and performance alternative to the traditional data center. In some cases, it may even replace IT implementations altogether. Nevertheless, the cloud will have to support the same IT processes, services and best practices galvanized by years of experience running IT organizations. This is particularly true for data security and compliance services.

While clouds present an optimistic and attractive model for IT, there is a key caveat: Clouds offer different levels of ownership and outsourcing, which greatly complicate our approaches for ensuring data security. Data is the most critical asset for a company, but now it may be sitting in cloud data environments that are out of the enterprise’s control.

Think about how worried you are when the data is in your data center, managed by people you know. With the cloud, you might not even know where the servers are, who is sharing them, who is managing them or what processes are in place to protect them. The obvious question becomes, “What considerations should I make to protect my data so my organization can move securely and confidently to the cloud?”

Read the IDC white paper: A CISO’s Guide to Enabling a Cloud Security Strategy

Before starting, consider the best approach to protecting your data in general, and then ensure that those precepts are followed in the cloud environment.

A Risk-Based Approach

First, you need to understand your data. Not all data is the same, and you must allocate appropriate resources to the most important information. In terms of security, you need to reduce the risk faced by that critical data. There are two important dimensions to this effort:

  1. Business value: How frequently is the data used to run the business and by whom (e.g., a pricing and discount table used daily by pricers)?
  2. Risk: How sensitive is the data and what exposures does it have (e.g., is it on a server with default passwords)?

The answers to these questions will help determine the relevance of the data and how you need to specifically treat it in its life cycle, especially for security and compliance.

An ideal way to do this is through automatic discovery tools that show you where your sensitive data is, who has access to it and how risky it can be. Armed with this knowledge, it becomes easier to choose how to mitigate the risk with the right tools, such as encryption, masking, archiving, deleting and even tightening access control rules.

The final step is to continue to monitor access to your sensitive data in order to maintain a tolerable risk level, especially against misuse or abuse of privileged access.

Three Environments for Cloud Data

Cloud service providers (CSPs) can offer customers different levels of control or convenience with regard to the services they provide. To apply the risk-based methodology to the cloud, you need to consider the three main environments.

Infrastructure-as-a-Service

Infrastructure-as-a-service (IaaS) is where the CSP manages the virtual and physical foundation. The end customer can control all other components up to the application layers. This may be the simpler scenario to support for data security because the same on-premises security controls — such as discovery, classification, vulnerability assessment, encryption, masking, monitoring, auditing and blocking — can be applied.

Platform-as-a-Service

Platform-as-a-service (PaaS) is where the CSP additionally manages the middleware and runtime. The end customer only has control over how to manage the data and the application. New data-as-a-service options offer customers access to shared virtual database space. The customer controls the data put in these spaces and the applications that use it but can only apply data security controls that the CSP has allowed or that exist at the application layer.

Regardless of the data security services provided, customers need to ensure that they have control. For example, they should request to hold encryption keys or monitor consoles.

Software-as-a-Service

Finally, there is software-as-a-service (SaaS), where the customer is only a user of the service and the administration of the stack is left to the CSP. The customer has no control over what is done with the data. Dropbox and Google Docs are common in the mobile consumer space, and Salesforce is a well-known enterprise example. SaaS environments are the most difficult to control for data security because the data is at the mercy of the CSP. The end customer can only control it if the data is sent to the application encrypted or masked, and you still need to be careful not to break application logic.

For cloud environments, the more control you give to a CSP, the more you will be dependent on their security processes. Service-level agreements can be set to increase confidence, but you can always lower the risk the further down you go on the stack.

Learn how to optimize your cloud security model – Read the IDC Report

 |  |  |  |  |  | 
Luis Casco-Arias
Senior Offering Manager of Data Security, IBM

More from Cloud Security
December 18, 2024

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

December 4, 2024

Cloud threat report: Possible trend in cloud credential “oversaturation”

3 min read - For years now, the dark web has built and maintained its own evolving economy, supported by the acquisition and sales of stolen data, user login credentials and business IP. But much like any market today, the dark web economy is subject to supply and demand.A recent X-Force Cloud Threat Landscape Report has shed light on this fact, revealing a new trend in the average prices for stolen cloud access credentials. Since 2022, there has been a steady decrease in market…

November 14, 2024

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature