Data breaches in the cloud consistently make news headlines. Yet, the data breach stories are often vague explanations — a “misconfigured database,” “an open resource,” or mismanagement by an unnamed “third party.” The ambiguity that surrounds these breaches can make securing enterprises seem riskier than actually are.
In nearly all cases we hear about in the news, it’s not the cloud provider’s fault, but the organizations using the cloud that fail to manage the controls used to protect an organization’s data. According to Gartner, through 2025, 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data.
Implementing controls around what has access to data has become fundamental to any data security and compliance program. Although each unique cloud provider delivers services and APIs to manage identity and access to information for their stack, they are not standardized across all the public cloud stacks available, do not address third-party data stores, and often require the use of low-level tools and APIs. I believe – as do many experts – that strong cloud security centers on common buy-in to the identity and data approach.
Here are six steps security teams can take to protect cloud data:
- Integrate data security into a SDLC approach.
An SDLC approach lets enterprises continuously discover, manage and monitor the activity of every unique person and non-person identity operating in their clouds. It ensures appropriate alerting of security and infrastructure teams to areas of unexpected or excessive risk. Critical aspects of a lifecycle approach include the ability to: Discover risk by uncovering who (people) and non-people (identities) are doing what (access/actions), where (resources), and when (context) across the public cloud infrastructure; classify and manage risk to least privilege by ensuring identities have the least number of permissions needed to perform daily tasks – and no more; monitor risk by continuously monitoring changes in identity activity (context/behavior) and prioritizing alerts based on defined risk criteria; protect data and access by using behavioral controls to detect and prevent theft, misconfigurations, and other risks.
- Discover the company’s risk.
Hybrid and multi-cloud environments require a solution that can abstract, collect, normalize, and present historical identity activity in a single, unified, consumable format. Only with this clarity and insight can organizations begin to understand and mitigate the risk that over-permissioned identities pose.
An identity and data solution should reduce risk, ensure compliance and increase operational efficiencies through the following: risk and security monitoring; compliance enforcement; drift detection; DevSecOps multi-cloud efficiency; and misconfiguration Prevention.
- Classify and manage risk.
The company’s identity and data security should provide context with the combined visibility of current and historical activity data with a simple remediation or prevention remediation. Although each unique cloud provider delivers services and APIs to manage identity and access to data for their stack, they are not standardized across all the stacks available, do not address third-party data stores, and often require the use of low-level tools and APIs. An identity and data platform should resolve this problem through normalized views and control of cloud identity and data access.
The platform must manage controls that account for the disparities among the cloud service providers in the management of risks created by identities and excessive permissions; this can vary from provider to provider. For example, organizations should have the option to either create or design custom least privilege roles based on the historical activity of one or more identities or remove unused or dormant permissions directly from a high-risk identity.
It’s critical to automate remediation and prevention. This automation should continuously maintain least privilege policies and controls across an enterprise’s environment without reducing the productivity of the security, cloud, and development teams. For example, dormant identities over 90 days would be automatically removed when found.
- Audit and monitor risk.
To maintain control and security within and across clouds, enterprises need consistent and continuous up-to-the-minute information. But in a public cloud environment, there are often tens of thousands of identities active at any one time accessing tens of thousands of resources. Ephemeral identities and data create a complex environment near impossible to monitor without robust capabilities for continuous auditing of the activity patterns of all unique identities across the cloud environments.
Enterprises should monitor their cloud infrastructures from a multi-dimensional perspective continuously. For example, monitoring activity through the “identity lens” helps security and cloud infrastructure teams track changes based on the identity’s activity profile—and quickly ascertain which permissions have been used, which permissions have not been used, and which resources identities have accessed over time. It also monitors activity into what types of actions they have performed on it.
- Protect data from risk.
The company’s cloud security platform should normalize data with centralized analytics and views across hundreds of AWS or GCP accounts and Azure subscriptions/resource groups to streamline governance for DevOps and security teams. Operational capabilities should trust models of all activity and relationships across cloud vendors, accounts, and third-party data stores. All views pivot on cloud provider, country, cloud accounts, application, or data store to offer deeper context.
- Find the right tool.
Organizations often are challenged to share sensitive data without compromise or incident appropriately. It’s fundamental to implement controls around what has access to data in any data security and compliance program.
Finding the right tools to meet the company’s SDLC approach and security standards should be easy for those who know what they are looking for in a cloud security program. Despite their best efforts, legacy approaches fall short in functionality and still must confront identities as the new perimeter along with excessive permissions with access to cloud resources. All of this has been created by accelerated cloud adoption and an outdated approach to cybersecurity.
Eric Kedrosky, chief information security officer, Sonrai Security