By Andy Smith, CMO, Laminar
Data protection and cloud security have enterprises running around a giant hamster wheel. They know that they are practically blind when it comes to where sensitive data is in the cloud and how well it’s protected. Meanwhile, data protection teams are crying out for a way to gain a complete and accurate view of their data. It doesn’t seem like such a tall ask, considering that data is at the center of cloud transformation—no matter how you slice it. Yet, still, some companies are living in the renaissance period of cloud security and blissfully unaware of their assets in the cloud.
Setting the Scene
If innovation were a Hollywood movie, data would be the lead actor. Data is inarguably the most critical piece of the puzzle when it comes to innovation within the modern cloud-first enterprise. Most business leaders have wrapped their heads around this concept and recognize the facts; they agree that: In order to give my developers and data scientists the tools they need to innovate, our data must be democratized and we must be able to support new applications on the cloud. While most businesses understand that data is important, that it’s critical to protect and that it is a source of differentiation, they often fall short of understanding what exactly is involved in effective data security. Especially when it comes to sensitive data stored in the cloud, many security teams are still in the dark.
This misunderstanding—or possibly misinformation—leads enterprise leaders to rely on traditional methods of data security. Outdated technology hasn’t adjusted to the new cloud-native environment. This means that data security and privacy workflows, reviews, committees and assessments are all manual. Herein lies a tremendous growth opportunity.
We could discuss the problems with current approaches until we’re blue in the face. Problems of alert fatigue, FUD, friction with developers and of course exposure to data exfiltration and security risks are holding organizations back from reaching their full “cloud potential.” While recent approaches, like Cloud Security Posture Management (CSPM) tools, have brought some useful capabilities for cloud infrastructure—such as VMs, containers, etc.—they don’t address the needs of data security teams who have been left in the dust. Traditional data security solutions and manual processes haven’t adjusted to the new cloud-first environment, which makes the work of the modern analyst much more challenging, and, most significantly, has positioned them as “gatekeepers” rather than “enablers” of business and innovation.
Stuck in the Past
Legacy data security suites have left enterprises ignorant to what sensitive and regulated data they have in the public cloud. This impacts several components of a data security strategy. First, teams are left conducting manual, periodic interviews with application owners to identify sensitive data stores that are out of date (usually days later) as the cloud environment is agile and dynamic as developers and data scientists can make copies of data anytime they want. This is all in a failed effort to determine where their sensitive data lives in the cloud. They’re stuck in a “trust but no verify” approach that is completely manual and unable to keep up with the speed of the cloud.
Second, when securing and controlling cloud data, they often rely on written policies with little to no enforcement. Instead of automated approaches to enforce policies, they have to trust that developers will understand standard policies and properly implement them. They are involved in laborious compliance audits of policies, which can easily leave gaps. Lastly, legacy data loss protection (DLP) solutions only cover email, endpoint and on-premises infrastructure, which means data security teams have limited to zero visibility into potentially ruinous data leaks in IaaS and PaaS environments.
Third, security teams may be thought of by others within the organization as a hindrance to business and innovation. While leadership can preach all day to stakeholders and marketing about the importance of security, there can be a disconnect between security teams and other decision-makers when it comes to acting on the platitude. Security might seem like a great idea “when we get to it,” but when it comes to enacting security best practices, leadership might not want to risk possible disruption that would slow or even stop a project. Without the right tools in place, security teams can feel like they are fighting an uphill battle, which can be discouraging and lead to neglect of pertinent issues just to reduce friction with colleagues.
A Place in the Future
Where does this leave the modern enterprise that wants to gain a complete and accurate view of all assets on the cloud to move innovation forward? A cloud-native, data-centric approach will take organizations from the past to the future of data management and protection. Let’s break down the components of a forward-thinking, modern approach to cloud security.
Eat, Sleep, Breath Cloud
There’s no arguing that cloud is integral to most businesses today. Thus, a modern data management approach must start by integrating fully with the public cloud itself, using modern, cloud-native approaches. Within virtually every enterprise are hundreds of technologies and apps that store, use and share data in the cloud. These tools can be managed by cloud service providers (AWS S3 buckets, Google Cloud Storage, Azure Blob Storage, etc.), IT (AWS RDS) and even developers or operations teams (database that runs on an EC2 or a Kubernetes node). Furthermore, each technology is configured and used differently on a daily basis. These architectures are complex, dynamic and constantly changing, which increases risk dramatically over legacy data management.
For this reason, a cloud-native tool or application is critical for companies seeking a place in the future. A cloud-native tool or application is designed to capitalize on the characteristics of a cloud computing software delivery model. They utilize the cloud service provider’s (CSP) native APIs that are designed to meet these needs. While cloud-native data security solutions aren’t mainstream yet, they’re gaining traction among larger, established organizations that recognize their unmatched value and their unique ability to discover, classify, secure and control the data that lives in the cloud more deeply.
If security teams don’t know where their sensitive data is, who has access to it and can’t understand the risk posture associated with certain assets, how can they expect to know about leaks and vulnerabilities in a timely manner? Gaining that deep, all-encompassing visibility into every piece of organizational data stored in the cloud—whether that data asset is managed by the cloud provider, if it’s a formal data store or in compute or if it’s public or isolated—and continuously monitoring the movement and management of that data is the most effective way to stay nimble and reduce the attack surface. For companies living in the “future” of cloud data management, this means connecting security tools directly with their cloud account to agentlessly scan the entire cloud environment and autonomously discover all data stores. Autonomous solutions are critical as cloud environments are agile and dynamic where security teams and even application developers are not aware of the typically thousands of data assets in their cloud accounts. Many data management solutions will automatically scan known datastores with the right credentials to gain access, but only autonomous solutions discover ALL resources without knowledge of the environment. Achieving this level of visibility without disrupting workflows is huge in terms of moving security teams away from a gatekeeper persona to business enablers.
Putting the Pieces Together
Collecting and analyzing all data assets is just the first step toward a more advanced, forward-thinking approach to data security in the cloud. Modern cloud-native solutions are also able to autonomously scan all of those discovered pieces of data to understand where to focus first—the most sensitive data and the most critical issues—and present that information to security analysts. Cloud-native tools can also autonomously scan audit logs, network flow logs and various data sources in order to build a profile for every data access point. A cloud-native, agentless approach allows data security teams to detect leaks and remediate them faster by monitoring unwanted data access in real-time by analyzing access logs for anomalous activity. Cloud security teams are no longer stuck in an environment of alert fatigue and burnout because they finally have eyes on all of their sensitive data at any given moment.
Without the right tools, today’s security professionals will continue to live in fear of the unknown, like unknown data repositories (what we call shadow data) that can be targeted with the least odds of detection. Security teams are afraid of being out of the loop and susceptible to breaches. This creates tension between security teams and the rest of the enterprise. But with the right tools, security teams can champion digital transformation and innovation and truly become heroes within their organization.
About the Author