Cloud security is a wide-ranging affair which throws up challenges at numerous levels. It is therefore useful to start by understanding the distribution of responsibilities between the organisation (a public cloud customer) and those who provide cloud services, for example, Google Cloud, or Microsoft Azure.
Under the shared responsibility model, the cloud provider is responsible for the security of the cloud (i.e. physical infrastructure), and also for managing said infrastructure. The customer (your organisation) is, in turn, responsible for security in the cloud – in essence, the workloads running on top of the virtual resources created in the cloud provider’s platform.
Cloud workload protection (CWP) refers to the protection and overall security of workloads running in the cloud in any type of computing environment, whether they be physical servers or containers, for example. For any organisation using cloud services, this is a core responsibility and an essential facet of any security and compliance strategy. Organisations are moving to the cloud as a consequence of the need to guarantee the scalability and flexibility of their applications. Governance and security should be the grounding pillars of this migration and of the new environment.
The benefits of cloud technology for remote working
Visibility and accountability
As operations in the cloud grow together with the teams managing them, company-wide visibility and accountability become critical issues. After all, you can’t accurately detect, stop or respond to something if you can’t see it. In this way, workload events need to be captured, analysed and stored so that security teams can enjoy the visibility they need to detect and stop threats in real-time, as well as to hunt down and investigate threats. Accountability is a critical concern for information security in cloud computing,
representing most importantly the trust in service relationships between clients and cloud providers (Microsoft Azure et al). Indeed, without evidence of accountability, a lack of trust and confidence in cloud computing can raise it’s head among those concerned with managing the business.
Dealing with sensitive data
Sensitive data (PII) is processed in the cloud and governance is critical to make sure that such data is always processed and stored in a secure manner. Data protection is big news these days – especially more so with the advent of both PII and General Privacy Data Regulation (GDPR) data compliance regulations. The shared responsibility model between the cloud platform provider you choose and your organisation, means that you (the organisation) remain responsible for the protection and security of any sensitive data from your end customers. If you want to avoid failing a data security compliance audit, or the ramifications of a data breach, then it is imperative that you enable protective policies and build governance and controls surrounding data stores into the business.
Data protection and GDPR: what are my legal obligations as a business?
The need for compliance with regulations such as GDPR is a driver to implement governance and software-defined operations in a cloud-agnostic manner, as many organisations use more than one cloud vendor. GDPR requires that any organisation serving a customer in the EU must know exactly where that customer’s data is stored and be able to fully delete it on-demand at the request of that customer. Under such conditions, organisations require systems that can monitor and remediate compliance and security policies across not only AWS, Azure, Google Cloud Platform, and other public cloud environments, but across on-premises private clouds, too. As organisations embrace multiple private and public cloud environments, their management systems need to do the same for better governance.
There are tools that can deploy security and best-practices policies in order to ensure that data is secured at rest and at run-time, as well as empower organisations to become compliant and auditable, in order to show how these policies secure their data. Unprotected data, whether at rest or at run-time, leaves enterprises vulnerable to attack. However, there are many effective security measures that offer vigorous data protection across endpoints and networks, to protect data in either state. One of the most effective
data protection methods for both data in transit and data at rest is data encryption.
In addition to data encryption, look for solutions with policies that enable user prompting, blocking, or automatic encryption for sensitive data in transit (e.g. when files are attached to an email message) and at rest. Also, create policies for systematically categorising and classifying all company data – wherever it might live. In this way you can be sure that the appropriate data protection measures are applied while data remains at rest and triggered when data classified as at-risk is accessed, used, or transferred.