Jakub JirsÃ¡k - stock.adobe.com
Companies are finding themselves increasingly reliant on a growing number of cloud-based services, as business tools transform into online platforms, such as infrastructure-as-a-service (IaaS) and software-as-a-service (SaaS). Consequently, business data is often leaving the network boundaries and being transferred to an external third-party platform, beyond the remit of internal access management systems.
Data in the cloud
Data processing and management are an essential part of the modern enterprise, regardless of the sector. As such, it is incumbent on all organisations to ensure data is protected and not shared or lost. This has also become a regulatory requirement in many countries. Data processing has become challenging because it now frequently takes place in the cloud.
No two cloud platforms are the same, as each platform offers its own unique benefits and suitability for different applications and data processing. With organisations wishing to maximise their flexibility to meet shifting market trends, they are increasingly relying on cloud platforms to support this.
“An average company uses around 25 to 49 tools from 10 different vendors,” says Nataraj Nagaratnam, CTO of cloud security at IBM. “A security and compliance platform that can integrate data from these tools and provide a single pane of glass about overall posture is important.”
However, ensuring data is protected across a diverse series of platforms, and that access is appropriately managed, has become a time-consuming process. Just as every cloud platform is different, so too are their access controls. It is therefore the responsibility of organisations to ensure the correct controls are in place and that they are deployed across all of the platforms they use.
All datasets are not equal, with some being far more sensitive than others. For example, the spending patterns of customers may be commercially useful, but are not as sensitive as financial transactions. “Public and internal data is not the same as confidential and sensitive data,” says Nataraj. “When [putting] confidential data and critical workloads in the cloud, the security controls you need to apply increase.”
Taking a data-centric risk-based approach is key, as this enables an organisation to ensure that the appropriate security controls are in place.
Managing risk in the cloud
Whilst encryption is critical to protecting data in the cloud, what is arguably even more important are the encryption key management systems. “Keys have become critical infrastructure,” says Nataraj. “We joke about it – encryption is for amateurs and key management is for professionals.”
As such, keys have become essential components of data security. Although the data may be protected through encryption, if the associated keys are not adequately protected, then the data will still be vulnerable to attack. A zero-trust approach should be taken to ensure that the risk to keys, and therefore the data they protect, is minimal.
Nataraj Nagaratnam, IBM
A common flaw in a security posture involves issues with cloud platform access controls. Problems can include obsolete accounts, such as when staff have left but their user profiles remain active; redundant access permissions due to users changing departments and needing access to different information; and access being inadvertently granted to external parties.
“The top mistakes are misconfigurations,” says Nataraj. “It’s not only sophisticated attacks that are happening out there. It’s mundane, simple misconfiguration, where basic security practices – for example, preventing public access to sensitive data stores – aren’t fully followed. Such situations lead to more breaches and attacks.”
Managing access controls across a multicloud network has become a complicated process. Organisations are now responsible for ensuring their security controls reflect risk and regulatory compliance. This complexity is not because organisations do not appreciate the importance of the data they control, but it is often a case of the security team not having the knowledge or time to ensure that the correct controls are in place.
It is therefore important that organisations simplify the access management system for developers and understand the importance of uniform security controls.
Risk versus sensitivity, not network versus cloud
Organisations need to consider how they can mitigate the risk to their data, especially when they move critical workloads to the cloud. Given that data is now in the cloud, third-party risk also needs to be considered for data protection.
“What are the technical assurances that [the] cloud provider or a third party cannot access the customer data or the keys?” asks Nataraj. “That shift of providing the technical assurance is at the core of data security and privacy.”
With data in the cloud, organisations need to take a risk-based and data-centric approach to security strategy. They can no longer consider their network as a trusted boundary and should instead focus on the sensitivity of their data. It is vital to balance the sensitivity of the information with the usefulness of its accessibility in the cloud, and have the appropriate policies in place to mitigate the risk to the data.
It is important to accept that nothing is 100% secure and that it is a case of when, rather than if, a hack will occur. This may come across as a fatalistic approach, but assuming that being hacked will never happen, and therefore failing to have contingencies in place for a worst-case scenario, puts an organisation and its data at significant risk. It is therefore prudent to have actionable and tested plans in place for such instances.
Managing access controls with IAM
Having an identity and access management (IAM) system deployed allows organisations to have a single management interface for controlling access to their various cloud services. By no longer having to manage the user profiles in each of the separate cloud platforms, IT teams will be able to efficiently control identity management, allowing them to focus their attention where it is needed most.
An IAM system overlay will also enable the audit of information control across multiple cloud platforms. This will enable the monitoring of when and where information is being accessed, as well as identifying any abnormal activity in the cloud.
Having a codified set of standards identifying the security controls and access permissions across cloud platforms is central to a unified identity and security management system. “It’s not just a set of policy documents that say, ‘Thou shalt protect data’,” says Nataraj. “It needs to get to the specific prescriptive controls that say, ‘This is how you protect your data’.”
Automating this process allows new cloud infrastructure to be created with the baseline user permissions in place. This ensures there is a consistent and repeatable approach to information management, which embeds an organisation’s security and data protection policies throughout the network. There is also the advantage of enhancing an organisation’s agility in responding to new opportunities and reducing project lag, especially at the start.
While automation can mitigate the risk of misconfiguration through poor communication and human factors, there should always be a human in the loop to ensure network oversight. This will ensure there is consistency in the way an organisation leverages automation at scale, while also ensuring there is no deviation from established access controls.
Automating the IAM system can be coordinated with a network’s intrusion detection system (IDS) to further audit access controls throughout an organisation’s network and cloud platforms. These can flag suspicious network activity to network administrators, their responses to which can be fed back into the automated IDS to refine the machine learning’s threat detection algorithm.
Regulating data protection
With a growing number of business platforms operating from the cloud, managing access across these diverse platforms has become an ever-increasing challenge. This has come to the fore with the latest data protection regulations, including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
Data protection laws now not only require organisations to have the appropriate policies in place to protect user data, but these policies also require that access to information can be controlled and audited. An IAM system overseeing a multicloud architecture enables access controls to be fully auditable, regardless of how many cloud platforms and services an organisation uses.
Regulatory oversight looks set to continue to grow, with existing legislation expanding and new data sovereignty laws being developed. This will continue to make information sharing and data processing a complex field. Identifying how these shifting regulatory trends evolve will enable the preparation of appropriate mechanisms, thereby ensuring that data continues to be shared and processed in a way that is compliant with the relevant data protection regulations.
Managing risk and compliance with IAM
Organisations are becoming ever more reliant on cloud-based services for meeting their business needs. It is therefore vital that an integrated IAM system is in place to ensure that the appropriate access management systems are in place, as this will allow organisations to reap the benefits of cloud services while ensuring they remain compliant with data protection and data sovereignty legislation.
Read more about cloud IAM
- With IAM central to enabling appropriate access to cloud-based services, identity first security is becoming a key trend for IAM in the cloud.
- Governments are introducing increasingly prescriptive data protection policies, but with organisations becoming ever more reliant on multiple cloud service platforms for essential business needs, how can they ensure they meet regulatory requirements?