Multi-Cloud Data Protection Best Practices for Cyber Resilience
Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise technology. In this feature, Panzura CISO Katie McCullough offers multi-cloud data protection best practices for cyber resilience.
A few years ago, we were knocking on the door of multi-cloud architecture. Today, it’s the norm. Businesses are now realizing the seemingly endless benefits of combining private and public cloud solutions into one single cloud adoption strategy — from avoiding vendor lock-ins and cutting costs, to increasing agility and developing a cloud experience that aligns more closely with a company’s specific needs. According to Gartner, more than half of all enterprise IT spending will shift to the cloud by 2025, much of it on distributed cloud architectures that span on-premises, edge servers, and private and public cloud solutions.
Agility is one thing, but there’s an inherent risk to storing data across multiple cloud providers and on-premises infrastructure. More data in more environments typically means less visibility and a need to juggle multiple out-of-sync data “islands” for backups and day-to-day processes. So how can businesses ensure that the integrity and security of their data remains consistent when stored in a distributed cloud environment?
Multi-Cloud Data Protection Best Practices
3 Tenants of Cloud Security
The effectiveness of any cloud-based data storage solution is best measured against three core tenants – confidentiality, integrity, and availability. Confidentiality is absolutely critical to maintaining data security, enforcing the principle of “least privilege” to ensure that only employees that need to access data to carry out their duties have access. No employee, regardless of seniority, should be given blanket access to an organization’s data – not necessarily because they can’t be trusted, though inside threats are most certainly a risk — but because they become a potential vector for breaches. The smaller the pool of individuals with access to certain datasets, the less vulnerable those datasets are when it comes to cyber threats and potential data theft or loss.
The integrity of data also needs to be maintained to ensure business continuity and productivity. When we talk about the integrity of data, we’re referring to the reliability and trustworthiness of that data throughout its entire lifecycle — if at any point data becomes desynchronized, outdated, or incorrect in the multiple cloud environments in which it is stored, it loses value and can lead to further problems and frustrations. Systems need to be able to check and validate data continuously to ensure that its integrity is maintained and productivity remains constant. The third tenant is availability. Do the right areas of the business have access to the right data at the right time? Balancing availability with confidentiality and integrity is one of the greatest challenges in cloud data security, but it’s not insurmountable if security teams ask the right questions when looking at multi-cloud solution options.
Preparing for Multi-Cloud Data Storage
Before going ahead with a multi-cloud storage strategy, security teams need to first assess their needs around data security. This assessment is best carried out by considering what, who, and how. When thinking about the “what” of data, security teams need to break down and categorize their data in terms of its storage and security needs. Is it highly confidential information within the business? Is it sensitive customer information? Are there any governmental regulations around the data being kept, such as PCI DSS for payment information or HIPAA when it comes to health records? This will allow security teams to outline the right security specification for the cloud strategy they adopt.
The “who” is all about who needs access to the data. Some data might need to be accessible to all users, such as basic customer records or supplier information. Some customers may even need access to data, when they log into a customer portal or access a service-based app for instance. Some data will be more specialized, with only engineers, financial controllers, or certain business units requiring access. Assessing who needs access to what data will help security teams map their data to the right cloud environment, be it private, public, or on-premises.
Next is the “how” — how will users access the data? Some data might be best accessed directly through file-sharing, whereas other sets of data may be shared via multiple applications and interfaces which will require the use of APIs to “communicate” with the cloud. Different data delivery and access methods will have different security challenges, so it’s good to assess how data is going to need to be accessed before adopting a multi-cloud adoption strategy. Access to data and certain applications can then be governed by best-practices such as multi-factor authentication to validate the identity of users.
The Importance of Data Encryption & Sovereignty
Once a multi-cloud strategy is in place, it’s then about deploying security controls and practices to maintain a baseline level of security. Perhaps the best example of this is data encryption, which has become a common practice in the transmission of data and will be built into the majority of solutions. Nevertheless, it’s important to understand how data is being encrypted, and make sure that it is being encrypted “at rest” as well as in transit. It’s also important for security teams to look at how cryptographic keys are being handled, whether it’s the service provider or the cloud provider handling them, and the level of encryption they represent. This is particularly important when it comes to compliance with regulatory standards like PCI DSS or HIPAA, where data may need to be encrypted and protected to a certain level.
One of the primary benefits of multi-cloud environments is the ability to choose different cloud providers for different services. This provides flexibility, cost savings, and access to specialized services. However, this approach also makes it difficult to maintain control over data, particularly if that data is spread across different cloud providers. This creates challenges in terms of compliance, security, and data protection that will need to be addressed with a clear data sovereignty strategy. This will involve identifying the locations where data will be stored, understanding the data protection and privacy laws in those locations, and ensuring that data is stored and processed in compliance with those laws. This is far more complex than in an on-premises environment, where regulations are only governed by the type of data being stored rather than the location in which the data is being kept.
Putting Security Controls in Place
One of the basic security control checklist items for multi-cloud data security is maintaining an inventory of all cloud services used by the organization. This helps to ensure that all services are secure, and that any potential security issues can be addressed in a timely manner. Additionally, incident response planning should be established to ensure that the organization is prepared to respond to security incidents.
Naturally, any third-party interactions also pose a significant risk to multi-cloud data security. Security teams need to ensure that they have clear and established security policies and procedures for third-party vendors and that they are compliant with any applicable regulations or standards. Change management is also important to ensure that any changes to the cloud environment are thoroughly tested and validated to prevent security vulnerabilities from materializing in the future. Data disposal is another checklist item, ensuring any data that is no longer needed is disposed of securely. Cloud storage providers should be able to give a detailed breakdown of how they dispose of redundant data so it doesn’t fall into the wrong hands or breach compliance regulations.
Before selecting cloud service providers as part of a multi-cloud storage strategy, all of the above needs to be considered. It’s important to know where responsibility for the security, encryption, and compliant handling of data starts and ends — some of this will be the service provider’s responsibility and some of it will come down to the organization itself. Interrogating service level agreements (SLAs) will reveal this in greater detail, as well as outline what the service provider aims to provide, from response times and recovery times to how data is stored and what downtime — if any — is deemed acceptable.
Multi-cloud data storage is an incredibly useful way to minimize spending, maintain compliance, and generally improve the handling and availability of data, but only if the right solutions are selected and implemented in the right way. Data security should never be assumed and is never guaranteed.