Cloud Data Security in 2023: The Essentials
Companies are progressively transferring their data to the cloud. While moving data to the cloud offers numerous advantages, storing data in the cloud introduce new risk factors. With that being said, organizations are still responsible to protect your personal customers’ information and comply with privacy regulations. In this document, we summarize important things to consider when creating a cloud data security business case, including the main cloud data security risks, their origin and potential consequences, and finally introduce ways to reduce the organizational risk while supporting business growth, without compromising data security.
Financial organizations are especially at risk as the data is specifically sought after and highly sensitive. Being heavily regulated also presents significant risk should companies fail to have the measures in place to protect against such threats
- More than 153M records leaked are accounted to banks breaches between 2018-2022 (Source: comparitech.com)
- More than 4,100 publicly disclosed data breaches occurred in 2022
- more than 20,000 security incidents and 5,212 confirmed data breaches was the use of stolen credentials, which accounted for nearly 50% of attacks
- 147 million people were affected by Equifax data breach as result of lack of visibility to data access activities and lack of visibility to privileged users’ behavior.
- CapitalOne cloud data platform leaked 100 million customers records due to lack of Segregation of Duties (SoD)
The most common causes of data breaches:
- Weak and stolen credentials.
- Malicious insiders.
- Insider error.
- Cloud data platform misconfiguration.
- Lack of visibility and real-time remediation to access anomalies.
How Will the Risk Evolve Over the Coming Years?
Gartner notes that fraud of all kinds often increases during a downturn, as cybercriminals know resources will be tight and expect companies to cut back when it comes to cybersecurity.
The value of sensitive data in general is set to increase. Competitors will want the inside edge. As companies in many cases choose to become more agile, jobs will be lost and for many business operating conditions will become tougher. In such situations, the risk to data fraud increases significantly in two ways.
Cyber threats tend to rise during a recession – hackers thrive in tough times, we’re going to see more incidents.
It’s likely you will see data theft or compromise from ‘compromised’ employees/ex-employees rise as they either leave to join competitors or choose to take data as a form of revenge.
With this in mind, the regulator of the Philippines monitors the lifting of critical data to the American Clouds, ever-increasing the mandatory controls and data protection requirements.
A common requirement by regulators includes to encrypting the data using FPE Encryption before it is allowed to move to the Cloud, prohibiting any Cloud Account Admin to be able to ever re-identify your critical data.
What Would the Impact to Your Businesses Be if You Had an Incident?
- Significant compliance fines (up to 4% company turnover under GDPR, varies with other similar regulations e.g., PDPA)
- Trade lost through reputation damage and disruption
- Value lost from stock price / valuation
- Job security, all levels
- Customers lost to competitors
- IP leaked to competitors, using the incident for increasing their market share
- Time/resource/cost and damage caused by slow detection and response
Where Do These Threats Originate From?
Looking into the main reasons behind Cloud data breaches highlights 3 key dimensions: Lack of Visibility, poor access-control and inadequate De-identification (Encryption) and re-identification (decryption) processes
- over 80% of hacking-related breaches involved the use of lost or stolen credentials (Verizon 2020 Data Breach Investigations Report).
- 64% of organizations don’t have visibility into the level of access and permissions for both internal and external users. (https://www.bankinfosecurity.com/)
- 57% of organizations are unable to designate only enough access to perform designated responsibilities. (https://www.bankinfosecurity.com/)
- 58% of organizations aren’t monitoring third parties because they don’t have the internal resources. (source: https://www.bankinfosecurity.com/)
How to Mitigate the Risks?
- Understand risk around your most sensitive data (find over-exposed sensitive data stores).
- Encrypt (de-Identify the data at-rest) before it is lifted to Cloud ensuring all Cloud configuration loopholes, Account Sysadmin and data-sharing with internal Cloud platforms and 3rd Party only exposes encrypted data (PDPA “Security by default” and “Security by design” and Data-Centric Zero trust.
- Define policies for who and why (“purpose”) should have access to the clear-text data.
- Apply Cloud-independent policy enforcement platform to monitor in real-time sensitive user activity, Detect and block anomalous or high-risk behavior and re-identify (decrypt) the data on “purpose” (“need-to-know” basis).
- Reducing Costs and Risk while Facilitating Growth
The required data protection platform will enable the organization to quickly realize significant benefits across growth initiatives, costs optimization, data-liability and data-risk reduction.
Enabling business growth through automated, secured digital transformation, efficient data operations, enabling fast response to business initiatives, securely leveraging cloud data platforms, machine learning and analytical tools to grow and increase revenue and productivity.
Support new business initiatives through the introduction of process-driven, automated data provisioning capabilities, enabling fast and accurate provisioning of access to data, and streamlining data-ops.
Enabling adoption of new technologies and cloud data platforms to support business growth, without compromising data security, ensuring automated enforcement of data security policies and reducing the organizational risk.
Costs Optimization Initiatives
- Enabling costs optimization across data and security operations.
- Reducing number of tools required to ensure data security by adopting a consolidated platform for monitoring access to sensitive data and protecting the data at-rest (using de-identification) and in-use (using Attribute-Based Access Control).
- Seamless deployment with no changes to existing infrastructure, no agents on databases, no code changes and no API calls.
- Enforcing Full segregation of Duties, ensuring data cannot be re-identified while on-cloud nor accessed by Cloud Account Admins.
- Centralized Data Protection platform across on-premise & cloud, from on-remise mainframe to cloud data-platforms.
Data Protection initiatives
Strengthening the organization’s security-posture by deploying a future ready data protection platform, replacing multiple point-solution technologies with a centralized, consolidated data-centric protection platform:
- Providing consistent enforcement of data security policies over all cloud platforms
- Ensuring controls are in place to manage access on a need-to-know basis
- Regulators require that sensitive data barriers exist between different trading desks or business units
- BDs must ensure sufficient controls are in place to comply with these contractual provisions
Ensure consistent data protection enforcement across multiple data-sources, consuming apps, back—office processing, ML. support access to regulated data, data-consumers (users), admin users, and data-access/processing technologies, including:
- Real-time Database Activity Monitoring (DAM) with end-user granularity and context, user behavior analytics, alerting and actions
- Access control across operational and analytical workloads ensuring access on a need-to-know basis.
- Purpose / Attribute-based access control
- De-identification capabilities including: Dynamic and Physical Masking, FPE and Typesafe Encryption, Tokenization, Filtering, Scrambling, nullification, anonymization, Soft Deletion and Hard Deletion (for addressing “Right of erasure”) and pseudonymization, selectively available both at-rest and in-use.
- End-to-end data security, with full segregation of duties
- Always Encrypted: from data ingestion to consumption, data must be always encrypted to ensure that Cloud Account Admins and other unauthorized users can never decrypt the data
- Flexible re-identification of data only for authorized users and only back on-premise/in-country (client-side)
- Critical Data is never re-identified in-cloud
- Access to data is always restricted by data classification & user context
- Accelerated time needed to grant proper access to sensitive data in cloud-data platforms, applications and data-processing tools from days to minutes, an over 10x improvement.
- Seamlessly integrated centralized security platform with the modern data stack, including Snowflake, AWS, GCP, Azure, and other leading platforms & tools
- Simplified protocols for regulatory compliance, secure key required financial services licenses.
- Simplify end-to-end data security architecture, reduce the number of data-protection tools required, reduce the number of servers needed, automate processes, and provide increased peace of mind.
- Data engineers could segregate, manage, and audit analytical activities, allowing a data science team to work across both principal and agency projects without raising conflicts of interest.
- Users access to anonymized client transaction data. A combination contextual attribute and purpose-based access control to apply anonymization techniques and time-based controls of sensitive data processing activities, at-rest and in-use, enabling ongoing risk management and model optimization.
- Shield clients’ identities to ensure information was shared only on a need-to-know basis and to ensure access to sensitive data is on a need-to-know basis and is constantly monitored across data-stores, access tools, data consumer (identity), etc.
When considering a data protection platform, the following financial parameters are considered:
Tools replaced by a centralized platform – Software Annual Fee (subscription/support), Labor (internal and third party), Hardware (annual costs, support, management), Data Center costs, Management Costs, Energy Costs
- Database Activity Monitoring (DAM) – Collecting and storing Database and Application User Activity Log HW, License and SW costs.
- Attribute-based Access Control ABAC
- Development effort for implementing changes to existing technologies when considering separate / silo solutions
- Storage costs for non-production data
- Operational costs for maintaining a centralized solution vs separate / silo solutions
- Eliminate duplications of access-policies