Data Protection in the Cloud: The Basics and 7 Best Practices

[Data Protection, Cloud Compliance, Elementary, 6 minute read]

What is Data Protection in the Cloud?

Cloud data protection practices leverage tools and techniques for the purpose of protecting cloud-based corporate data. These practices should provide coverage for all data, including data at-rest and data in-transit, whether the data is located in an in-house private store or managed by a third-party contractor.

Data protection for cloud environments is becoming critical as more businesses transition from building and managing their own data centers to storing applications and data in the cloud.

Why Companies Need Cloud Data Protection

Today’s organizations are generating, collecting, and storing huge amounts of data with a wide range of sensitivity, from corporate trade secrets, to financial private consumer information, to less important data.

Additionally, organizations are moving data to the cloud, storing it in diverse locations that introduce complexities, from simple public cloud and private cloud repositories, to complicated architectures like multiclouds, hybrid clouds, and Software as a Service (SaaS) platforms.

The complexity of cloud architectures, coupled with increasingly demanding data protection and privacy regulations, vendors shared responsibility models, create many security challenges. Here are key challenges you might encounter:

  • Visibility—it’s difficult to keep an accurate inventory of all applications and data.
  • Access—there are less controls for data and applications hosted on third-party infrastructure, than on premise. It is not always possible to gain visibility into users activity and learn how devices or data are being used.
  • Controls—cloud vendors offer a “shared responsibility” model. This means that while cloud users gain controls for some security aspects, others remain within the scope of the vendor and users cannot ensure security.
  • Inconsistencies—different cloud providers offer different capabilities, which can lead to inconsistent cloud data protection and security. 

All of these challenges can be exploited by threat actors, and may result in security breaches, loss or theft of trade secrets and private or financial information, and malware or ransom infections.

Another major factor is compliance. Organizations are required to comply with data protection and privacy laws and regulations, such as the European Union's General Data Protection Regulation (GDPR), as well as the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (US).

It can be very difficult for companies to consistently set and implement security policies across multiple cloud environments, as well as prove auditors' compliance. This might explain why the data protection market is expected to exceed $158 billion by 2024.

Data Protection in the Cloud: Key Best Practices

Know your Responsibilities in the Cloud

Using a cloud service does not mean that the cloud provider is responsible for your data. You and your provider share responsibilities. This shared responsibility model allows cloud providers to ensure that the hardware and software services they provide are secure while cloud consumers remain responsible for the security of their data assets.

Cloud providers often offer better security than many companies can achieve on their own. On the other hand, cloud consumers lose visibility because the cloud vendor is in charge of infrastructure operations. Challenges can arise when development, operations, hosting, and security responsibilities get mixed up between in-house teams and cloud vendors.

Ask About Provider’s Processes in Case of a Breach

Cloud vendors should provide transparent and well-documented plans, outlining mitigation and support during breaches. A worst case scenario can mean that multiple fail-safes and alarms are immediately triggered during a breach, alerting all relevant parties that an attack is happening. Another emergency measure is triggering a lockdown that secures data before it could be transferred or decrypted.

Identify Security Gaps Between Systems

Cloud environments are typically integrated with other services, some in-house while some are third-party. The more systems and vendors you add to the stack, the more gaps are created. Organizations need to identify each security gap and take measures that ensure the security of the data and assets shared and used by these systems.

While some measures are implemented by third party vendors, organizations also need to implement their own measures to ensure compliance and security. Each industry is required to uphold certain security practices. Third-party vendors do not always offer the same level of compliance.

Utilize File-Level Encryption

Organizations should implement comprehensive file-level encryption measures, even if cloud vendors provide basic encryption. File-level encryption can serve as the basis of your cloud security, adding a layer of protection before uploading data to the cloud. You can also "shard" data into fragments. Storing shards in different locations make it difficult for threat actors to assemble the whole file, even if they manage to breach the system.

Transfer Data Securely

You can implement point-to-point security by combining additional encryption with SSL for all communications. You can use secure email and file protection tools, which enable you to track and control who can see your data, who can access that data, when and how access is revoked (all actions or specific actions like forwarding). You can restrict the types of data that are allowed to be transferred outside your organization ecosystems. You should also restrict certain uses of data, and ensure that users and recipients comply with data protection regulations.

Back Up Data Consistently

Create data replicates regularly and store them separately from the main repository. Consistent backups can help protect your organization from critical data losses, especially during a data wipeout or a lockdown. Data replicas enable you to continue working off-line even when cloud assets are not available.

Expose Shadow IT in Your Cloud Deployment

A cloud security policy does not guarantee proper use of cloud resources. Many employees are not well versed in security policies, or are unaware of the security risks. When employees install software and download files without consulting with the IT team, they create a shadow IT infrastructure that introduces many security risks.

There are certain measures organizations can take to protect against shadow IT risks. One technique is to monitor firewalls, proxies, and SIEM logs to determine IT activity throughout the organization. Next, you can assess activities and determine the risks introduced by users.

Once you gain a relatively accurate picture activity and usage, you need to put in some measures that prevent the transfer of corporate data from trusted systems and devices to unauthorized endpoints. Another measure that can prevent risks is enforcing device security verification, to prevent downloads from and to unauthorized devices.

Data Protection in the Cloud with NetApp Cloud Compliance

NetApp Cloud Compliance leverages cognitive technology to discover, identify and map personal and sensitive data. Use Cloud Compliance to maintain visibility into the privacy posture of your cloud data, generate crucial data privacy reports, and easily demonstrate compliance with regulations such as the GDPR and the CCPA.

Learn more about NetApp Cloud Compliance    

Cloud Compliance Free Trial

-