The inherent benefits of cloud computing – flexibility in cost, scalability, security – helped it to quickly outpace client-server, on-premises computing. However, as companies have moved their data from on-premises to the cloud at unprecedented rates, rising cloud storage fees followed. In fact, in a Virtana survey, 69% of IT leaders said storage accounts for more than 25% of total cloud costs, with 23% reporting it represents more than half of their overall costs.
As corporate data moved to the cloud, so have career cyber criminals sensing a lucrative goldmine. According to a report from Venafi, 8 in 10 organizations said that they experienced a cloud-related security incident in 2022, and 45% of the organizations that faced a cloud security incident experienced at least four attacks during that period. It’s clear that cloud breaches are accelerating, and companies are struggling to mitigate risks.
The “Big 3” cloud providers – AWS, Microsoft, and Google – have built their brands and staked their reputations on their high level of security, both physically at their global data centers and through embedded security controls that keep corporate data and applications safe from data theft. But organizations can’t leave securing enterprise cloud data to the cloud providers alone. Companies must stay engaged with their cloud partners to safeguard their data because ultimately, organizations are responsible for the protection of their data.
Companies have adapted their cybersecurity strategies to address and protect cloud data with workload protection, posture management, and other security tools to harden defenses. Many organizations fell short (and still do) when it came to acknowledging the link between data lifecycle management policies and processes that reduce the attack surface.
Moving beyond assumptions and complacency
With nearly half (45%) of the breaches in 2022 taking place in the cloud (according to IBM), companies must re-evaluate the assumptions they have been making regarding their cloud data strategy. Companies often assume that encryption will always going be good enough to protect corporate data. Many companies also assume that they can depend on inexpensive cloud storage. While it’s true that companies generally only pay for the storage capacity they use, there are additional fees that add up quickly. For example, fees are charged every time data gets moved from one cloud repository to another location and some cloud vendors even charge API gateway fees when data is accessed through API calls.
Whether the company stores data on-prem or in the cloud, organizations should consider the following approaches to build up their security defenses and mitigate damage should a data breach occur:
- Focus on the fundamentals: Organizations should first prioritize basic foundational security controls and scale those, including reducing the data attack surface in the cloud before adding new security controls. It’s often easier said than done because companies are accumulating data at an alarming rate. Many probably don’t know exactly what’s being stored in the cloud; some of it is important, while some should have been eliminated through the data sanitization process years ago. Routinely reviewing the data as it’s created, then classifying, tagging and tracking it can solve this problem. Once the teams sorts and organizes the data, performing secure data sanitization using verified processes and audit trails on the redundant, obsolete and trivial (ROT) data no longer needed for compliance, legal or financial purposes reduces the attack surface and the potential for data leakage.
- Avoid over-reliance on encryption: Don’t assume that encryption will secure enterprise data indefinitely. As AI and quantum computing grow more accessible and sophisticated, they are often used to launch increasingly complex cyberattacks and could become capable of more effectively stealing encryption keys or even breaking encryption algorithms. Given this, consider permanent data sanitization as an important security control for cloud-hosted data.
- Adopt a multi-cloud approach: The multi-cloud strategy isn’t for everyone. Companies should do a self-assessment to determine whether it’s the best approach for them, taking the extra costs and added risk exposure into consideration. Two of the key benefits of multi-cloud are redundancy and business continuity. For example, if Azure goes offline, but the data in AWS is still accessible, the business won’t come to a standstill. Like an insurance policy, multi-cloud allows organizations to spread risk across multiple platforms. On the other hand, companies, especially those in the highly-regulated finance and healthcare industries, prefer to adopt a hybrid storage model which combines the best of on-prem and cloud resources for select workloads, allowing them to switch between each as needed.
While the existing state of cloud data security seems daunting, there are tools and preventative strategies that organizations can use to deliver protection should the unthinkable happen. The strategies that may have sufficed five years ago might not be enough, especially given the increase in data stored in the cloud and the rapidly changing threat landscape. Companies can protect their data by first focusing on getting the fundamentals right – this includes include making management of data, from the point of creation to end-of-life, a high priority.
Maurice Uenuma, vice president, general manager, Americas, Blancco
