Cloud Data Protection: Key Steps to Securing Your Business

It’s clear that utilizing cloud for data storage can increase efficiency and lower IT costs for organizations. What’s confusing is knowing the best methods for cloud data protection. In this article, discover how a dynamic cyber resilience strategy—unique to your organization—can help protect your cloud data from ever-changing cyber threats.   

Understanding cloud data protection 

What is cloud data security? The simple answer is that cloud data security is a collection of policies, procedures, and technologies that defend your cloud-hosted data from breach, exfiltration, and compromise, such as ransomware. The resulting controls and countermeasures are intended to keep malicious actors away from cloud data. They also make it unusable if they gain access to your cloud data and enable rapid recovery if it is breached. 

The importance of protecting your cloud data 

Cloud data protection is about more than securing data—it’s about protecting your business. Your company cannot function without its data. If a malicious actor can destroy your data in the cloud, they can wreak havoc on your business. If you do suffer a breach, which is a common enough occurrence, effective cloud data protection and cyber resilience strategies will help you recover.  

Key components of cloud data protection 

There are five key components of an effective cloud data protection strategy: 

• Encryption — Renders data useless to attackers and meaningless if exfiltrated.  

• Access control — Ensures only those with access privileges can view or modify cloud data. 

• Data backup and recovery — Creates copies of cloud data so it can be restored in the event of a breach. 

• Compliance — Follows laws and regulations that require companies to protect certain kinds of data in the cloud, such as health records, credit card numbers, and personal identifiable information (PII). 

• Monitoring and auditing — Tracks access requests, downloads, and so forth to recognize indicators of threats or attacks.

Assessing cloud security threats 

Data in the cloud is vulnerable to most of the same threats that affect data on-premises, with a few differences. For one thing, cloud providers tend to insist on a “shared security model.” The cloud provider is responsible for securing its infrastructure, while the customer is responsible for access controls, data security, patch management, and so forth. The specifics of who covers what depends in part on what kind of cloud service you have. Infrastructure as a service (IaaS) places different security responsibilities on the customer than platform as a service (PaaS), for example.  

The shared responsibility model makes sense, but it can result in uncertainty about who is on task for a given security job, such as patching a cloud-based operating system. Attackers can exploit these grey areas to their advantage. 

Common vulnerabilities in cloud storage include: 

• Data Breaches — Data stored in the cloud is vulnerable to breach, exfiltration, and unauthorized alteration. Examples abound, but the 2019 Capital One breach still stands out as one of the worst. This incident leaked data stored on Amazon Web Services (AWS) from over 100 million customer accounts, including names, addresses, and credit scores.  

• Insider Threats — This topic can make us feel uncomfortable. We like to think we can trust our fellow employees, but insider threats are real. For any number of reasons, from disgruntlement to greed, insiders may decide to attack cloud-based digital assets. The Capital One breach was perpetrated by an insider, for example. And, because insiders usually have access privileges, it can be extremely difficult to detect the attack while it’s underway. There is also the risk of accidental insider threats. A user, such as a developer, might store corporate data in the cloud and mistakenly neglect to configure the cloud volume according to the company’s security policies—rendering it vulnerable to breach.  

• Data Loss — Data hosted in the cloud may be vulnerable to loss in extreme circumstances. On-premises data is similarly exposed, but deficient monitoring of cloud platforms may make the attack easier in the cloud. Ransomware, for example, is a serious threat vector affecting cloud data. Invictus, the incident response provider, recently published a cloud ransomware case study based on an actual incident. They show how the attacker used an accidentally exposed long-term credential to gain access to a cloud server. The attacker was then able to spend a long period of time in reconnaissance mode before encrypting the target’s data and demanding a ransom.

Compliance and legal considerations 

Compliance can be challenging in the cloud. For instance, some compliance regimens specify strict access controls. If your access controls solution doesn’t extend coherently or completely to the cloud, you could find yourself out of compliance. Or regulations like the General Data Protection Regulation (GDPR), which require a “right to be forgotten” that obligates you to find and erase all references to a consumer upon request, can penalize you if you neglect to delete the records on a backup volume. Data sovereignty can also be an issue. In Europe, for example, you may be prohibited from storing PII from citizens of one EU country in another country. Cloud platforms often span data centers in multiple countries, so unless you configure your geographic storage placement carefully, you can run afoul of regulations. 

Key strategies and best practices for cloud data protection 

The cloud is mature enough that cloud managers and their partners in security have developed strategies and best practices for cloud data protection. In many cases, getting to best practices will mean revising existing plans and procedures, rather than creating new ones. 

Develop a comprehensive cloud security policy 

Chances are, you already have some sort of cloud security policy. It’s a good idea to revisit it, though, and explore how thoroughly it covers cloud data protection. You want a comprehensive cloud security policy. The key word here is comprehensive. The policy(ies) should cover every aspect of cloud security, from access controls to data protection.  

It’s also a good idea, as part of the process of developing a comprehensive cloud security policy, to undertake a discovery process to be sure you know where all your cloud data lives. The flexibility of the cloud, an environment where employees can spin up data storage instances in minutes, often leads to data being parked in places where no one expects it to be. There are several tools that can expedite this discovery process.  

Implement strong access control measures 

Protecting cloud data becomes easier when you control who has access to that data. This process can be harder than it sounds, because cloud access controls can be uneven if you don’t have the right tools. For example, you should want your identity and access management (IAM) solution to cover all cloud assets. Adopting single sign on (SSO) can be a good move in this regard, too. Furthermore, the way you configure those access controls can make a big difference. It’s good practice to use strong authentication, such as multifactor authentication, along with strong passwords.  

Encrypt all cloud data 

It’s a best practice to encrypt all data in the cloud, in all states. The major cloud platforms provide the tools to accomplish most aspects of this goal. For example, the Microsoft Azure cloud has its Storage Service Encryption for data at rest. Azure Disk Encryption protects data in Windows and Linux virtual machines (VMs) using 256-AES encryption. AWS, Google Cloud Platform, and Azure all offer services that enable the encryption of data in transit as well. Backed up data must also be encrypted.  

Wasabi supports Server-side encryption in transit and at rest with customer-provided encryption keys (SSE-C) Wasabi manages the encryption as it writes to disks, and decryption when you access your objects. In this way, you don’t need to maintain any code—you just need to manage your own encryption keys. 

Define and execute regular data backup and recovery plans 

Robust data backup and recovery capabilities are essential for protecting cloud data. You probably already have some form of cloud backup and recovery. It’s worth digging into what you have, though, to see if it’s really doing its job. Testing recovery is essential, as is making sure that backed-up data volumes are protected from ransomware. Attackers are often quite diligent and will take the time to scout your networks so they can encrypt your backed up data—depriving you of a way to avoid paying their ransom.  

One way to mitigate this type of risk with a cloud backup solution is to implement immutable backups, which are possible with Wasabi’s S3 Object Lock. An immutable backup makes it impossible for an attacker, or anyone else without permission, to modify or delete the backed-up data. It creates the equivalent of an air gap that isolates data from threats. A ransomware attack will fail with an immutable backup because the ransomware malware will be unable to encrypt or delete the data.  

Train employees on cloud security 

Employee training provides another layer of cyber defense for cloud data protection. It cannot be relied upon 100% because people are fallible, but security training helps avert many of the worst-case outcomes. People, after all, are often the primary targets of cyber-attacks, such as phishing and email-borne malware. If people can learn to avoid clicking on suspicious links or downloading files from unknown contacts, that will reduce risk exposure in the cloud. 

Choosing the right cloud service provider 

The major cloud platforms all offer security features, so they provide at least some cloud data protection. You will want to evaluate these security measures carefully. This process is variable, but the main idea is to look for alignment between what they offer and your existing security toolset and policies. If adopting the cloud platform means changing a lot of what you’re doing in terms of security, that’s probably not an optimal move. 

You might want to backup your data to a dedicated cloud storage provider in addition to whatever IaaS and PaaS platforms you use. Wasabi cloud object storage, for example, offers high performing immutable storage on a pay-as-you-go basis or by reserved capacity. With its low per-terabyte cost and unique cloud storage pricing mode with no fees for egress or API requests, Wasabi compares favorably with the cloud storage options you get with the major players. 

Additionally, the right cloud service provider, for the purpose of data protection, will be one that integrates with a broad range of compatible security add-ons. No single cloud platform can do it all, especially regarding cyber resilience solution(s). Third-party technologies are essential, such as a cloud storage service that integrates with popular backup tools.  

Advanced cloud protection technologies 

Advances in technology are having a positive impact on cloud data protection, though some of the capabilities are still quite early in their lifecycles. Artificial intelligence (AI) and machine learning (ML) have the potential to improve threat detection. AI-driven cloud security solutions can use pattern recognition and other techniques to spot anomalies in cloud data storage that suggest the presence of a threat or the start of an attack—before a human observer could ever see them. AI can also be useful in enriching security alerts, for example instantly researching a threat and attaching detail to its description to give a security analyst more information to work with in its mitigation.  

Overcoming cloud data protection challenges 

Cloud data protection comes with its share of challenges, even if you follow best practices. By nature, the cloud is dynamic. Your cloud deployments will inevitably evolve. Your data will move around, sometimes without you even knowing it. If you are dealing with a multicloud environment, it’s even more complex and challenging. 

Multicloud and hybrid-cloud environments are common, and while they enable a lot of helpful flexibility for business, they make it hard to stay on top of data security and privacy, among other issues. Who can see what? That’s hard enough when you have your data on one cloud platform. If a user has access to data and apps on three platforms, you need specialized tooling to keep up with security and data management tasks. If you can’t do that, you run the risk of violating privacy regulations. 

If you are managing multiple clouds for multiple clients, which is routine for managed service providers (MSPs), the work is even more difficult. The Wasabi Account Control Manager can be helpful in this regard. It enables MSP cloud admins to manage cloud storage for multiple clients across multiple layers. Wasabi Account Control Manager ultimately simplifies account management on a massive scale, bringing cloud storage cost transparency to large enterprises. 

Solution 

You have data in the cloud. It needs protection. These simple facts translate into a host of cloud data protection requirements and challenges. A variety of threats, some quite serious, can put your cloud-based data at risk. Recommended best practices to protect your data from those threats include countermeasures like access controls, encryption, and backup. To be effective, though, you must go beyond the basics in each of these areas. Immutable backups, for example, offer true data protection in the cloud by making it impossible for a ransomware attacker to encrypt your data. As these factors come together, you will become more confident that you’re doing what it takes to protect your cloud data from malicious actors.