Cloud Data Security: Securing Data Stored in the Cloud

Gui Alvarenga - June 7, 2022

What is Cloud Data Security?

Cloud data security refers to the technologies, policies, services and security controls that protect any type of data in the cloud from loss, leakage or misuse through breaches, exfiltration and unauthorized access. A robust cloud data security strategy should include:

  • Ensuring the security and privacy of data across networks as well as within applications, containers, workloads and other cloud environments
  • Controlling data access for all users, devices and software
  • Providing complete visibility into all data on the network

The cloud data protection and security strategy must also protect data of all types. This includes:

  • Data in use: Securing data being used by an application or endpoint through user authentication and access control
  • Data in motion: Ensuring the safe transmission of sensitive, confidential or proprietary data while it moves across the network through encryption and/or other email and messaging security measures
  • Data at rest: Protecting data that is being stored on any network location, including the cloud, through access restrictions and user authentication

Expert Tip

The cloud is a term used to describe servers — as well as any associated services, software applications, databases, containers and workloads — that are accessed remotely via the internet. Cloud environments are typically divided into two categories: a private cloud, which is a cloud environment used exclusively by one customer; or a public cloud, which is an environment that is shared by more than one user.

How secure is the cloud?

Theoretically, the cloud is no more or less secure than a physical server or data center so long as the organization has adopted a comprehensive, robust cybersecurity strategy that is specifically designed to protect against risks and threats in a cloud environment.

And therein lies the problem: Many companies may not realize that their existing security strategy and legacy tooling, such as firewalls, do not protect assets hosted in the cloud. For this reason, organizations must fundamentally reconsider their security posture and update it to meet the security requirements of this new environment.

Another big misconception about the cloud is that the cloud provider is responsible for all security functions, including data security. In fact, cloud security follows what is referred to as the shared responsibility model.

Hence, cloud security — and, by extension, cloud data security — is a shared responsibility between the cloud service provider (CSP) and its customers.

Expert Tip

According to this model, the CSP, such as Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure (Azure), is responsible for managing and protecting the underlying hardware security. However, customers are expected to enable security at the infrastructure and application layer. This includes all tools, technologies, policies and methods meant to protect the organization’s data and other cloud-based assets.

Why should businesses store data in the cloud?

Organizations have shifted to the cloud because it is a key enabler of almost every digital business transformation strategy. When it comes to cloud data storage, specifically, organizations can unlock valuable benefits, such as:

  • Lower costs: Cloud storage is generally more affordable for businesses and organizations because the infrastructure costs are shared across users.
  • Resource optimization: Typically speaking, in a cloud model, the CSP is responsible for maintaining cloud-based servers, hardware, databases or other cloud infrastructure elements. In addition, the organization no longer needs to host or maintain on-premises components. This not only decreases overall IT costs but allows staff to be redeployed to focus on other issues, such as customer support or business modernization.
  • Improved access: Cloud-hosted databases can be accessed by any authorized user, from virtually any device, in any location in the world so long as there is an internet connection — a must for enabling the modern digital workforce.
  • Scalability: Cloud resources, such as databases, are flexible, meaning they can be quickly spun up or down based on the variable needs of the business. This allows the organization to manage surges in demand or seasonal spikes in a more timely and cost-effective way.

Business Risks to Storing Data in the Cloud

Though storing data within the cloud offers organizations many important benefits, this environment is not without challenges. Here are some risks businesses may face of storing data in the cloud without the proper security measures in place:

 1. Data breaches

Data breaches occur differently in the cloud than in on-premises attacks. Malware is less relevant. Instead, attackers exploit misconfigurations, inadequate access, stolen credentials and other vulnerabilities.

2. Misconfigurations

Misconfigurations are the No. 1 vulnerability in a cloud environment and can lead to overly  permissive privileges on accounts, insufficient logging and other security gaps that expose organizations to cloud breaches, insider threats and adversaries who leverage vulnerabilities to gain access to data.

3. Unsecured APIs

Businesses often use APIs to connect services and transfer data, either internally or to partners, suppliers, customers and others. Because APIs turn certain types of data into endpoints, changes to data policies or privilege levels can increase the risk of unauthorized access to more data than the host intended.

4. Access control/unauthorized access

Organizations using multi-cloud environments tend to rely on default access controls of their cloud providers, which becomes an issue particularly in a multi-cloud or hybrid cloud environment. Inside threats can do a great deal of damage with their privileged access, knowledge of where to strike, and ability to hide their tracks.

6 Cloud Data Security Best Practices

To ensure the security of their data, organizations must adopt a comprehensive cybersecurity strategy that addresses data vulnerabilities specific to the cloud.

Key elements of a robust cloud data security strategy include:

1. Leverage advanced encryption capabilities

One effective way to protect data is to encrypt it. Cloud encryption transforms data from plain text into an unreadable format before it enters the cloud. Data should be encrypted both in transit and at rest.

There are different out-of-the-box encryption capabilities offered by cloud service providers for data stored in block and object storage services. To protect the security of data-in-transit, connections to cloud storage services should be made using encrypted HTTPS/TLS connections.

Data encryption is by default enabled in cloud platforms using platform-managed encryption keys. However, customers can gain additional control over this by bringing their own keys and managing them centrally via encryption key management services in the cloud. For organizations with stricter security standards and compliance requirements, they can implement native hardware security module (HSM)-enabled key management services or even third-party services for protecting data encryption keys.

2. Implement a data loss prevention (DLP) tool.

Data loss prevention (DLP) is part of a company’s overall security strategy that focuses on detecting and preventing the loss, leakage or misuse of data through breaches, exfiltration and unauthorized access.

A cloud DLP is specifically designed to protect those organizations that leverage cloud repositories for data storage.

3. Enable unified visibility across private, hybrid and multi-cloud environments.

Unified discovery and visibility of multi-cloud environments, along with continuous intelligent monitoring of all cloud resources are essential in a cloud security solution. That unified visibility must be able to detect misconfigurations, vulnerabilities and data security threats, while providing actionable insights and guided remediation.

4. Ensure security posture and governance.

Another key element of data security is having the proper security policy and governance in place that enforces golden cloud security standards, while meeting industry and government regulations across the entire infrastructure. A cloud security posture management (CSPM) solution that detects and prevents misconfigurations and control plane threats is essential for eliminating blind spots and ensuring compliance across clouds, applications and workloads.

5. Strengthen identity and access management (IAM).

Identity and access management (IAM) helps organizations streamline and automate identity and access management tasks and enable more granular access controls and privileges. With an IAM solution, IT teams no longer need to manually assign access controls, monitor and update privileges, or deprovision accounts. Organizations can also enable a single sign-on (SSO) to authenticate the user’s identity and allow access to multiple applications and websites with just one set of credentials.

When it comes to IAM controls, the rule of thumb is to follow the principle of least privilege, which means allowing required users to access only the data and cloud resources they need to perform their work.

6. Enable cloud workload protection.

Cloud workloads increase the attack surface exponentially. Protecting workloads requires visibility and discovery of each workload and container events, while securing the entire cloud-native stack, on any cloud, across all workloads, containers, Kubernetes and serverless applications. Cloud workload protection (CWP) includes vulnerability scanning and management, and breach protection for workloads, including containers, Kubernetes and serverless functions, while enabling organizations to build, run and secure cloud applications from development to production.

CrowdStrike’s Cloud Security Solutions

CrowdStrike has redefined security with the world’s most advanced cloud-native platform that protects and enables the people, processes and technologies that drive modern enterprise.

Powered by the CrowdStrike Security Cloud, the CrowdStrike Falcon® platform leverages real-time indicators of attack (IOAs), threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.

Learn more about CrowdStrike’s Cloud Security Solutions, including our services specific to AWS, GCP and Azure, below:

GET TO KNOW THE AUTHOR

Guilherme (Gui) Alvarenga, is a Sr. Product Marketing Manager for the Cloud Security portfolio at CrowdStrike. He has over 15 years experience driving Cloud, SaaS, Network and ML solutions for companies such as Check Point, NEC and Cisco Systems. He graduated in Advertising and Marketing at the Universidade Paulista in Brazil, and pursued his MBA at San Jose State University. He studied Applied Computing at Stanford University, and specialized in Cloud Security and Threat Hunting.