printer friendly version

Data protection in the cloud

Rick Vanover.

The ‘Global DataSphere’ is exploding in size. IDC predicts that by 2026, the amount of data in the world will have doubled again. While most enterprises have digitised their operations, they continue to add more strategic workloads and create more and more data. So, as the amount of data enterprises have to deal with grows exponentially, moving to the cloud based on an elaborated strategy offers significant benefits like scalability, flexibility and cost-effective storage.

But can this go on forever? Gartner expects total worldwide end-user spending on public cloud services will reach a record $592 billion this year, a 21% increase from 2022. The Cloud Security Alliance (CSA) reported that 96% of companies say they have insufficient security for sensitive cloud data, so across the board we have a long way to go on this journey. Here are three best practices for enterprises to protect their data in the cloud.

1. Know your data

The first step to solving any problem is to know what you are dealing with. Before you can protect anything, you need to know who is storing what, and where. Is everyone in the business using the same accounts? To make sure this is done right, IT teams often need to play detective or go on a journey of discovery across the business. To find these threads, it is often necessary to look through finances and collect invoices for cloud costs across the organisation.

When brought together, the amount of data kept by most enterprises, whether it was migrated over from on-premises or originally stored in the cloud, is vast. Humans are natural hoarders, and the digital world is no exception. While the ‘virtual garage’ of the cloud can store endless boxes of data, locating everything is only half the battle. In order to know what data is mission-critical and sensitive, you will need to classify it.

Automated data classification engines can help you sort and organise, so you are not blindly trying to protect everything to the nth degree. Once you know exactly what you have stored on the cloud (and where) only then can you start looking at how this data is secured.

As organisations face a fairly low barrier of entry to move data to the cloud, teams may not have prioritised the security and network processes that are required; if the migration happened too fast this can easily be the case. Similarly, because the cloud is a completely different environment to secure, things are often missed. There are many new service types that do not always exist on-premises and many of these need to be protected and recovered in the case of attacks or outages. Examples of these include code in cloud storage, applications that leverage other cloud services, and APIs provided in the cloud.

2. Know your responsibilities

A key issue is enterprises often not realising exactly what they are responsible for, regarding security and data protection in the cloud. There is a big gap in awareness of the shared responsibility model on which cloud security is built. This means they assume the provider is responsible for certain security measures, when in reality it is their job. While it does depend on the cloud provider, typically the provider is responsible for the security of the infrastructure and the physical facilities that host it. Securing applications, data and access to the environment, however, is the responsibility of the customer.

In practice, this means enterprises need to ensure they have backups of all critical and sensitive data stored in the cloud, in case of breaches or outages. The best practice is to have multiple backups in different locations (e.g. one on-premises as well as a cloud copy) and have copies of data across different mediums, with at least one copy kept offsite, offline and immutable – even better yet, all three.

The other core security responsibility that lies with the enterprise is controlling access and privileges. If every user of your cloud has access to ‘God Mode’, any breach is going to be devastating. Likewise, if you are using a single account to do multiple functions like protection and provisioning.

The best practice is to ensure multiple accounts are used across the business, using access and identity management correctly across accounts and subscriptions, so you can easily remove the failure domain, in the case of a security breach. At a user level, ensure the principle of least privilege is followed across the cloud environment, so that people only have access to the resources and environments they need.

3. Keep it cost-effective

In all likelihood, putting the previous two principles into place will be a significant project for most enterprises. The good news is the initial heavy lift to do so will not be required again on the same scale. However, to keep the cloud environment healthy and cost-effective long term, it is important to have cloud data hygiene processes in place.

Ensure you have a proper data lifecycle process. Without it, the good work done initially will become ineffective and expensive over time, with the business paying to store and protect the wrong data in the wrong ways. Data needs to be on the right storage platform in the cloud – and this will change during its lifecycle. For example, it might move from block resource to object storage to archive storage. The costs associated with these are variable, so make sure you are not storing (or backing up) data in inefficient ways.

This is one small part of avoiding eventual ‘bill shock’ for cloud computing and storage costs. Beyond simple data, costs are API costs, data egress (transfer) and more. I always recommend enterprises have an established ‘cloud economic model’ that they follow to prevent costs from piling up and to ensure spending matches expectations. To use a real-life analogy, if you leave a light on or forget to cancel a subscription you no longer use, your monthly bills will be higher than expected. If this happens across an enterprise cloud environment, the total tally can be eye-watering.

As enterprises' (and the world’s) amount of stored data continues to grow over the next five years, the cloud is going to be a vital piece of the puzzle in managing this. Enterprises need to look beyond just storing and protecting their data, and look at ways to utilise it and unlock value for their business and their customers. Doing this requires re-factoring for greater agility, but this will also mean the business is prepared for the ‘whatever’. Cloud computing is nothing if not dynamic, and will continue to evolve, with best practise bound to change. If enterprises become data-centric now, on both the cloud and on-premises, they will be ready for whatever the future throws their way.

Share this article:

Further reading: