According to RH-ISAC’s 2021 CISO Benchmark Report, nearly 80% of CISOs anticipated a hybrid work environment in 2022. With the need for reliable access to company resources from any location, on any device, more and more companies are turning to the cloud for software-as-a-service offerings, as well as the infrastructure to host their data and applications. While adoption of the cloud can provide considerable benefits, it has also made securing data more difficult due to misconfigurations, misunderstanding of shared responsibility between the company and the cloud service provider, and lack of visibility across the expanded attack surface. According to Tenable, 80% of security leaders believe moving business-critical functions to the cloud elevated their risk.
Protecting your data in the cloud is an important part of avoiding a ransomware attack or data leak, but it is also a matter of compliance, particularly for businesses processing and storing payments or personally identifiable information (PII). Businesses that misconfigure their clouds and expose sensitive data can be subject to fines and lawsuits through privacy laws such as the European Union’s GDPR and California’s California Consumer Privacy Act, on top of all of the rest of the fallout from a data leak.
Here are some data protection best practices that you can use to secure your data for cloud compliance.
Encrypting Your Data in the Cloud
While GDPR does not explicitly mandate that data must be encrypted, it does require that organizations storing EU customer data “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” In addition, one of the examples provided for an appropriate technical measure is the “pseudonymisation and encryption of personal data,” so it can be safely said that encryption is at least recommended as a method for compliance with privacy law. Whether or not it is by law technically required, encryption is absolutely essential for good cloud security. Deciding how to encrypt your cloud data is a little more complicated.
In a public cloud, the cloud service provider will almost certainly offer some type of encryption, but it is important to know how that encryption works and who is responsible for things like managing the keys. Standard cloud encryption provided by the cloud service provider is server-side encryption, which means that the data is encrypted after it is received by the CSP, but before it is written to the disk and stored. The CSP manages the key for this encryption.
You can also choose to implement client-side encryption, which means that you encrypt the data before sending it to the cloud service provider. This is a good option if you want to have control over the management of your encryption, you just have to ensure that you have the tools to manage it. The CSP doesn’t have this key and won’t be held responsible if you lose access to it. It is important to have a policy for backing up your keys to avoid this situation. Additionally, according to Zscaler’s 2021 State of Cloud (In)Security Report, 56% of organizations were found to not be periodically rotating their keys. You should have a policy in place to rotate access keys, like you would a password policy, to reduce the likelihood that a leaked key will lead to data loss.
Whatever solution you use for encryption — whether provided by the CSP or a separate tool that you’ve selected through an outside vendor — should be able to provide both encryption of data while in transit as well as at rest. You will also want the ability to encrypt some data without being enforced to encrypt all data. Only sensitive data, such as customer information or company proprietary data, needs to be encrypted. You may have low-risk files that don’t require encryption, which could cut down on your costs.
Another important aspect of your data management strategy is visibility of your data. Modern data privacy laws require you to be able to delete data upon request, which involves being able to locate all places where that data resides. This is easier said than done in a cloud environment, particularly as the use of SaaS applications expands.
According to Palo Alto Networks, organizations on average are using 288 Software-as-a-Service applications. On top of that, many organizations are using more than one platform-as-a-service or infrastructure-as-a-service provider, in addition to on-premises environments. Locating all of the places where data is stored, across all of your cloud environments, can pose a challenge if you are not employing tools that provide a comprehensive view of your application access. Creating and maintaining a data inventory and mapping the flow of data in your cloud will help you be prepared to respond to a data request.
If you have data that is being stored and processed in SaaS applications, it is a good idea to have a data processing agreement to make sure that the SaaS provider is only collecting the information necessary for functioning of the app and that they’re not using the data for any other purposes. This will ensure that you’re not accidently at risk from behavior of your third parties.
Finally, while you want visibility into who is accessing what, you don’t want all employees being able to access restricted data. Implementing identity and access management best practices such as least privilege and zero trust, will limit who on your staff has access to customer data, which will also limit your regulatory liability.
Data Storage Location
The location of the infrastructure, of the service provider you’ve selected, will also impact what regulations you will be subject to. If the servers your data is stored on are located in California, you will need to ensure that any data stored in that cloud is in compliance with California’s Consumer Privacy Act. Data privacy laws are becoming more widespread with more and more American states, in addition to the EU, adopting them, so it is generally recommended that you consider these laws regardless of server location, but it is still important to be familiar with the ones pertinent to your location as these are the most likely to show up in your compliance checks and audits.
RH-ISAC members have exclusive access to RH-ISAC’s member community, Member Exchange, where you can post questions and get advice from fellow security professionals. Check out this RFI on cloud storage. Not a member? Learn how RH-ISAC membership can benefit you.