Cloud computing has been around for several years, and organizations are increasingly adopting it as a platform for storing data and hosting critical applications. The high levels of availability, flexibility, and scalability that the cloud offers make it an ideal choice for many business cases.
However, one challenge that many organizations have not yet overcome is the problem of storing data securely in cloud environments. Due to a number of different factors, businesses struggle to properly secure cloud-based resources, and data breaches involving the cloud are still a common occurrence.
Data Security Challenges in the Cloud
Cloud environments are very different than on-premises data centers. These differences create a number of different challenges for organizations attempting to store and secure data in the cloud.
-
Publicly Accessible Resources
Many organizations are accustomed to securing on-premises deployments. In these environments, all of the organization’s endpoints and network infrastructure are under their control and behind a defined network perimeter (typically the connection between the company network and the Internet).
This enables these organizations to adopt a perimeter-based approach to security. Cybersecurity monitoring and threat detection solutions can be deployed at the network boundary and monitor all of the traffic entering and leaving the organization’s network. Since a high percentage of cyber threats originate from outside the corporate network, this approach to security dramatically reduces an organization’s cyber risk.
The cloud represents a completely different operating environment. Cloud-based resources are hosted on infrastructure not owned by the organization and directly accessible from the public Internet. As a result, these resources are much more easily accessed by cybercriminals, who can then exfiltrate and breach the data that they contain.
-
Integrated Collaboration Tools
One of the primary selling points of the cloud is its built-in, robust support for collaboration. Files and folders stored in cloud environments, such as Google Drive and Dropbox, can be easily shared among different team members. In fact, these platforms often offer a number of sharing options. The owner of the content can either explicitly invite others to access their resources or create a sharing link that they can share to grant access.
The problem with this link-based sharing is that it allows anyone with knowledge of the URL to access the shared resource. This includes the intended recipients of the link, but it also includes anyone to whom the link is shared, anyone with access to the recipient’s email account, and anyone who discovers the URL using one of a number of different tools designed to scan the Internet for these sharing URLs. As a result, a large amount of sensitive data stored in the cloud is breached due to the insecure use of collaboration tools.
-
Cloud Shared Responsibility Model
One of the biggest challenges that organizations face when attempting to secure their cloud deployments is understanding what their security responsibilities are in the cloud. Since an organization is leasing only part of their infrastructure stack, with the rest being the responsibility of their cloud service provider (CSP), security duties in the cloud can be unclear.
CSPs have published shared cloud responsibility models, which outline the breakdown of these responsibilities, but many organizations are struggling to understand them. In fact, almost three-quarters of security professionals have at least some trouble with the model. These misunderstandings can easily result in gaps in cybersecurity monitoring and protection that expose sensitive data to be breached.
-
Architectural Fragmentation
The cloud shared responsibility model and the fact that an organization does not own the infrastructure that it is using means that many security professionals must use CSP-provided configuration settings to secure their cloud deployments. While these security settings and tools are largely well-documented, an organization’s security team must become very familiar with the details of how their cloud environment works to ensure that data is appropriately protected.
This becomes a challenge when organizations have multiple cloud deployments, which is true of the vast majority. Each cloud platform operated by a different CSP is designed to work in different ways and has its own built-in configurations and controls that an organization must set appropriately in order to protect the sensitive data and applications hosted on these systems.
The distribution of an organization’s network infrastructure over multiple cloud platforms makes it difficult to maintain consistent visibility and enforce a unified security policy across the company’s entire network environment. As a result, the probability that sensitive data will be exposed by misconfigured permissions or that a cybercriminal will gain access to a cloud-based resource undetected increases significantly as organizations deploy multiple public and private clouds.
Protecting Sensitive Data in the Cloud
Organizations face different challenges when attempting to secure sensitive data stored in the cloud. However, many of these organizations continue to add this data to their cloud deployments and fail to adequately protect it.
With all of the various ways that a cloud database could be exposed to a cybercriminal, data should be stored encrypted at all times. However, almost half (43%) of cloud databases are unencrypted, meaning that anyone who manages to gain access to them can steal the leaked data.
Organizations storing sensitive data in the cloud should deploy security solutions capable of protecting it at all times. Without the ability to identify all repositories of sensitive data and monitor and control access to this data, an organization could experience a breach of sensitive data without even being aware of the fact.