The Problem With Securing Cloud Data

Security was already a complex topic. Then the cloud came along. The cloud, in any of its forms, offers an attractive price and performance alternative to the traditional data center. In some cases, it may even replace IT implementations altogether. Nevertheless, the cloud will have to support the same IT processes, services and best practices galvanized by years of experience running IT organizations. This is particularly true for data security and compliance services.

While clouds present an optimistic and attractive model for IT, there is a key caveat: Clouds offer different levels of ownership and outsourcing, which greatly complicate our approaches for ensuring data security. Data is the most critical asset for a company, but now it may be sitting in cloud data environments that are out of the enterprise’s control.

Think about how worried you are when the data is in your data center, managed by people you know. With the cloud, you might not even know where the servers are, who is sharing them, who is managing them or what processes are in place to protect them. The obvious question becomes, “What considerations should I make to protect my data so my organization can move securely and confidently to the cloud?”

Read the IDC white paper: A CISO’s Guide to Enabling a Cloud Security Strategy

Before starting, consider the best approach to protecting your data in general, and then ensure that those precepts are followed in the cloud environment.

A Risk-Based Approach

First, you need to understand your data. Not all data is the same, and you must allocate appropriate resources to the most important information. In terms of security, you need to reduce the risk faced by that critical data. There are two important dimensions to this effort:

  1. Business value: How frequently is the data used to run the business and by whom (e.g., a pricing and discount table used daily by pricers)?
  2. Risk: How sensitive is the data and what exposures does it have (e.g., is it on a server with default passwords)?

The answers to these questions will help determine the relevance of the data and how you need to specifically treat it in its life cycle, especially for security and compliance.

An ideal way to do this is through automatic discovery tools that show you where your sensitive data is, who has access to it and how risky it can be. Armed with this knowledge, it becomes easier to choose how to mitigate the risk with the right tools, such as encryption, masking, archiving, deleting and even tightening access control rules.

The final step is to continue to monitor access to your sensitive data in order to maintain a tolerable risk level, especially against misuse or abuse of privileged access.

Three Environments for Cloud Data

Cloud service providers (CSPs) can offer customers different levels of control or convenience with regard to the services they provide. To apply the risk-based methodology to the cloud, you need to consider the three main environments.


Infrastructure-as-a-service (IaaS) is where the CSP manages the virtual and physical foundation. The end customer can control all other components up to the application layers. This may be the simpler scenario to support for data security because the same on-premises security controls — such as discovery, classification, vulnerability assessment, encryption, masking, monitoring, auditing and blocking — can be applied.


Platform-as-a-service (PaaS) is where the CSP additionally manages the middleware and runtime. The end customer only has control over how to manage the data and the application. New data-as-a-service options offer customers access to shared virtual database space. The customer controls the data put in these spaces and the applications that use it but can only apply data security controls that the CSP has allowed or that exist at the application layer.

Regardless of the data security services provided, customers need to ensure that they have control. For example, they should request to hold encryption keys or monitor consoles.


Finally, there is software-as-a-service (SaaS), where the customer is only a user of the service and the administration of the stack is left to the CSP. The customer has no control over what is done with the data. Dropbox and Google Docs are common in the mobile consumer space, and Salesforce is a well-known enterprise example. SaaS environments are the most difficult to control for data security because the data is at the mercy of the CSP. The end customer can only control it if the data is sent to the application encrypted or masked, and you still need to be careful not to break application logic.

For cloud environments, the more control you give to a CSP, the more you will be dependent on their security processes. Service-level agreements can be set to increase confidence, but you can always lower the risk the further down you go on the stack.

Learn how to optimize your cloud security model – Read the IDC Report

More from Cloud Security

Why Are Cloud Misconfigurations Still a Major Issue?

Cloud misconfigurations are by far the biggest threat to cloud security, according to the National Security Agency (NSA). The 2022 IBM Security X-Force Cloud Threat Landscape Report found that cloud vulnerabilities have grown a whopping 28% since last year, with a 200% increase in cloud accounts offered on the dark web in the same timeframe. With vulnerabilities on the rise, the catastrophic impact of cloud breaches has made it clear that proper cloud security is of the utmost importance. And…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

How an Attacker Can Achieve Persistence in Google Cloud Platform (GCP) with Cloud Shell

IBM Security X-Force Red took a deeper look at the Google Cloud Platform (GCP) and found a potential method an attacker could use to persist in GCP via the Google Cloud Shell. Google Cloud Shell is a service that provides a web-based shell where GCP administrative activities can be performed. A web-based shell is a nice feature because it allows developers and administrators to manage GCP resources without having to install or keep any software locally on their system. From…

How IBM Secured the 2022 US Open

Throughout the US Open Tennis Championship, the infrastructure for and the mobile apps can see upwards of 3 million security events. While the vast majority of events are not serious, security analysts must quickly determine which are concerning to take immediate action. However, with such a large volume and variety of data, security analysts need to know where to focus their attention. As the host of the digital platforms and official digital innovation partner for the US Open Tennis…