Data security in cloud computing

Organizations in all sectors recognize the benefits of cloud computing. Some are only beginning their migration journey as part of digital transformation efforts, while others are adopting advanced multi-cloud, hybrid strategies. One of the biggest challenges at any stage of implementation is data security in cloud computing, stemming from the unique risks that the technology brings.

The cloud erodes the traditional network perimeter that drove cybersecurity strategies in the past. Data security in cloud computing requires a different approach—one that considers not only the threats but also the complexity of data governance and security models in the cloud.

The changing business landscape and implications for cloud data security

Strengthening cybersecurity defenses is the top investment that companies undertaking digital transformation projects plan to make.[1] The emerging trend of remote and hybrid workplaces is creating a paradigm shift in cybersecurity that’s changing spending priorities.

As businesses look to improve resilience and employees expect the flexibility to work from anywhere, cloud computing provides the foundational technology for this transformation. But many cloud solutions don’t come with built-in security features, which emphasizes the need for data security in cloud computing.

What is data security in cloud computing?

Cloud data security is the combination of technology solutions, policies, and procedures that the enterprise implements to protect cloud-based applications and systems, along with the associated data and user access.

The core principles of information security and data governance—data confidentiality, integrity, and availability (known as the CIA triad)—also apply to the cloud:

  • Confidentiality: protecting the data from unauthorized access and disclosure
  • Integrity: safeguard the data from unauthorized modification so it can be trusted
  • Availability: ensuring the data is fully available and accessible when it’s needed

These tenets apply regardless of:

  • Which cloud model the enterprise adopts—public, private, hybrid, or community clouds
  • Which cloud computing categories the organization uses—software-as-a-service (SaaS), platform-as-a-service (PaaS), infrastructure-as-a service (IaaS), or function-as-a-service (FaaS)

Organizations must consider data security during all stages of cloud computing and the data lifecycle, from development, deployment, or migration of applications and systems, to the management of the cloud environment.

Common cloud data security risks

When it comes to data, the cloud poses a variety of risks that the enterprise must address as part of its security strategy. The biggest risks—as organizations increasingly rely on the cloud for collecting, storing, and processing critical data—are cyberattacks and data breaches.

A SailPoint survey, for example, found that 45% of companies that have implemented IaaS have experienced cyberattacks and 25% have experienced a data breach. Other research found that IT security professionals cite the proliferation of cloud services as the second-biggest barrier to their ability to respond to a data breach, and this challenge has grown in recent years.

Some of the common cloud-related risks that organizations face include:

  • Regulatory noncompliance—whether it’s the General Protection Data Regulation (GDPR) or the Healthcare Insurance Portability and Accountability Act (HIPAA), cloud computing adds complexity to satisfying compliance requirements.
  • Data loss and data leaks—data loss and data leaks can result from poor security practices such as misconfigurations of cloud systems or threats such as insiders.
  • Loss of customer trust and brand reputation—customers trust organizations to safeguard their personally identifiable information (PII) and when a security incident leads to data compromise, companies lose customer goodwill.
  • Business interruption—risk professionals around the globe identified business disruption caused by failure of cloud technology / platforms or supply chains as one of their top five cyber exposure concerns.[2]
  • Financial losses—the costs of incident mitigation, data breaches, business disruption, and other consequences of cloud security incidents can add up to hundreds of millions of dollars.

Cloud computing threats to data security

While cybersecurity threats that apply to on-premises infrastructure also extend to cloud computing, the cloud brings additional data security threats. Here are some of the common ones:

  • Unsecure application programming interfaces (APIs)—many cloud services and applications rely on APIs for functionalities such as authentication and access, but these interfaces often have security weaknesses such as misconfigurations, opening the door to compromises.
  • Account hijacking or takeover—many people use weak passwords or reuse compromised passwords, which gives cyberattackers easy access to cloud accounts.
  • Insider threats—while these are not unique to the cloud, the lack of visibility into the cloud ecosystem increases the risk of insider threats, whether the insiders are gaining unauthorized access to data with malicious intent or are inadvertently sharing or storing sensitive data via the cloud.

The shared responsibility model of the cloud

One data security area that organizations struggle with in cloud computing is who bears the responsibility for security. With on-premises data centers and infrastructure, the responsibility falls to the organization. But in the cloud, they’re using vendor’s services, and the lines of responsibilities may feel blurry.

Cloud service providers use the so-called shared responsibility model, also known as “shared controls.” The challenge is that the way the responsibility is shared varies among the different cloud models.

In all models, cloud providers are responsible for the physical security of the infrastructure and the customers are responsible for data classification and accountability. For all the other security components, the responsibility either falls on one of the parties or is shared. For example, the cloud provider is responsible for identity and access management if the enterprise uses IaaS, but they share the responsibility if they’re using SaaS, PaaS, or FaaS.

The bottom line is that it’s important to understand the granularities of the shared responsibility model the cloud service provider follows and ensure the enterprise is applying the appropriate safeguards.

Safeguards for data security in cloud computing

Data security in the cloud starts with identity governance. Organizations need a comprehensive, consolidated view of data access across its on-premises and cloud platforms and workloads. Identity governance provides:

  • Visibility—the lack of visibility results in ineffective access control, increasing both risks and costs.
  • Federated access—this eliminates manual maintenance of separate identities by leveraging Active Directory or another system of record.
  • Monitoring—the enterprise needs a way to determine if the access to cloud data is authorized and appropriate.

Governance best practices include automating processes to reduce the burden on enterprise’s IT team, as well as auditing security tools routinely to ensure continuous risk mitigation as the organization’s environment evolves.

In addition to governance, other recommended data security safeguards for cloud computing include:

Deploy encryption. Ensure that sensitive and critical data, such as PII and intellectual property, is encrypted both in transit and at rest. Not all vendors offer encryption, and the enterprise should consider implementing a third-party encryption solution for added protection.

Back up the data. While vendors have their own backup procedures, it’s essential to back up cloud data locally as well. Use the 3-2-1 rule for data backup: Keep at least three copies, store them on at least two different media, and keep at least one backup offsite (in the case of the cloud, the offsite backup could be the one executed by the vendor).

Implement identity and access management (IAM). IAM technology and policies ensure that the right people have appropriate access to data, and this framework needs to encompass the cloud environment. Besides identity governance, IAM components include access management (such as single sign-on, or SSO) and privileged access management.

Manage organizational password policies. Poor password hygiene is frequently the cause of data breaches and other security incidents. Use password management solutions to make it simple for employees and other end users to maintain secure password practices.

Adopt multi-factor authentication (MFA). In addition to using secure password practices, MFA is a good way to mitigate the risk of compromised credentials. It creates an extra hurdle that threat actors must overcome as they try to gain entry to cloud accounts.

Final thoughts: Keeping data safe in the cloud

As the organization continues on its cloud adoption journey, especially if it starts to rely on the hybrid multi-cloud, the environment will grow more complex. Data security in cloud computing is a critical aspect of minimizing the company’s risks and protecting not only data but also brand reputation.

To safeguard against the ever-evolving cloud threats, consider implementing solutions for managing cloud access and entitlements. Additionally, integrate these solutions into the overall IAM strategy for a comprehensive approach to identity management.

A holistic, identity-centered approach ensures that the enterprise is enforcing access control consistently—and applying governance more intelligently— whether the data resides on premises or in the cloud. The organization also benefits from automation and other features that make identity more efficient and save costs.

A leader in identity security for the cloud enterprises, SailPoint provides technology that helps the enterprise manage cloud risks in today’s dynamic, distributed workplace. Learn more about SailPoint’s cloud governance solution.

[1] Dell Technologies 2020 Digital Transformation Index

[2] Allianz 2021 Risk Barometer