This Data Awareness and Protection layer discusses extended recommendations that are specific to the data itself.
3 Cloud Data Security Best Practices
1. Scan for Sensitive Data and Malware
All data is not created equal, nor does it represent the same risk. IaaS/PaaS storage repositories should be scanned to identify data risk. Data risk can come in two primary forms — sensitive data that may or may not be permitted in the cloud and malware. Both represent risk. Both should be scanned to identify excessive, unknown or unexpected risk. Solutions should use a “single pass” architecture so that a given file can be scanned simultaneously for risk in the form of embedded sensitive data or embedded threats. Here, a third-party offering may be needed; for example, CASB and CSPM offerings that scan IaaS/PaaS services.
2. Adopt Confidential Computing Techniques When Handling the Most Sensitive Data
Some of the leading cloud providers now offer options for confidentiality. Confidential computing is the combination of CPU-based hardware technology and CSP VM images and software tools that enable cloud-using organizations to create completely isolated trusted execution environments (called enclaves). Because they offer a form of encryption of data in use, these enclaves render sensitive information invisible to host OSs and cloud provider administrators. As an alternative, software-based techniques such as multiparty computation and software-based trusted execution environments are also available.
3. Understand and Manage The Data Replication Patterns and Policies of the Cloud Provider
Leading cloud providers offer control of where and how data will be replicated, including control of geographic replication. For certain types of data, this may be required by law; for example, the EU’s General Data Protection Regulation (GDPR). This recommendation applies to the storage and handling of the detailed audit logs discussed earlier. This analysis should extend to backups and backup services. Finally, even if the cloud provider’s logs and metadata are stored in a regionally compliant fashion, analytics services against the data may not be — but should be — understood as well.
10 Best Practices on How to Use Cloud IaaS More Securely Than a Data Center?
Data residency across cloud services creates complex choices in regard to balancing business needs against growing risks to provide adequate data security and compliance. Clients increasingly try to avoid data exposure and CSP trust issues by encrypting data on-premises. However, this may affect application performance and functionality.
Gartner recommends engaging certified cloud partners early on in your cloud planning process, to ensure that loopholes are identified early and plugged in before it turns out to be a disaster.