According to research from Rubrik Zero Labs, organizations will store an average of 1231.8 terabytes of sensitive back-end data in the Cloud by 2028. And the successful adoption of Cloud for storage makes sense: Cloud computing provides a platform for CapEx-free innovation that’s scalable and available on demand.
But storing data in the cloud exposes your business to new kinds of risk. What are those risks? How do you manage them?
Cloud data security is part of a bigger picture that includes overall data security. As organizations become increasingly data-driven, the potential damage arising from a data breach becomes more significant. It’s hard to thrive as a data-driven business if your data has been deleted, leaked, or compromised. Protecting that data is a high priority.
Cloud security is another element in that bigger picture. Security in the cloud is different from security on-premises. For one thing, an external team manages cloud infrastructure. And, while the people who run your cloud infrastructure might be superb at security (arguably better than your in-house team) you don’t know who they are and exercise no control over them. This leads to anxiety about the status (and safety) of your cloud data.
The truth is most security threats to the cloud are well-known and come from familiar vectors; phishing attacks, supply chain attacks, malicious insiders, poorly configured data stores and more. Indeed, some of the worst cloud data risks arise from sloppy security settings and poorly followed data security policies.
Storing data in the cloud creates an attractive attack surface. Corporations store personally identifiable information (PII), intellectual property (IP), customer records, and all manner of sensitive data in the cloud.
These data sets have value for hackers, e.g., from selling it to identity thieves. They also present opportunities to disrupt businesses that rely on data to function. And if there is a data breach from the cloud, there can be compliance problems, such as with GDPR or CCPA. These risks apply to backup instances of data too, which can lead to unexpected data breaches.
The cloud’s shared security model can compound cloud data risk. Typically, the cloud service provider (CSP) is responsible for securing its own infrastructure, including the physical data centers, networks, and hardware that powers the cloud platform. Customers are responsible for securing their own data. This makes sense, given that the customer will have its own distinct policies and countermeasures for data protection. However, the shared nature of cloud security can leave gaps where stakeholders are unclear about their responsibilities.
Cloud platforms use a variety of practices and technologies to keep data secure. But there are some essential elements that must be in place for a cloud platform to be considered secure, including:
Data in the cloud should be encrypted. The encryption must be end-to-end, covering data at rest and data in transit. This way, even if malicious actors can penetrate cloud data storage infrastructure or databases, the information included within is useless to them.
An elevated approach to encryption also involves using hashing techniques to render encrypted data sets immutable. An immutable snapshot cannot be modified or deleted by anyone. It is resistant to ransomware because it cannot be re-encrypted by the ransomware malware.
Advanced threat detection mechanisms can help a cloud platform identify and mitigate security threats. For example, an anomaly detection engine enables storage managers and their partners in security operations (SecOps) to investigate threats against data stored in the cloud—ferreting out threats and avoiding reinfection by malware when data is restored from backup instances. An anomaly detection engine leverages machine learning (ML) to establish a baseline of normal behavior against which it can detect malicious activity. From there it can identify the initial point of an attack, its timing, and scope.
Additionally, threat monitoring draws on intelligence from third parties, such as information sharing and analysis centers (ISACs) and other threat feeds and proprietary intelligence. The technology is able to identify indicators of compromise (IOCs) within backup snapshots. Such a tool reduces the need for reactive, manual threat detection and response workflows. Rubrik performs these processes on existing data “out-of-band,” which preserves the performance of production systems.
Nearly three quarters of enterprises store their data on two public cloud platforms, according to a 2021 VMware survey cited on CIO.com. The same survey found that 26% of respondents reported using three or more clouds, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Therefore, a cloud data protection solution must support multi-cloud architectures if it is to be viable.
Data stored in the cloud is subject to all the same governance and compliance requirements as data stored on premises. For this reason, a cloud data security solution must support the kind of controls and policies that comprise most compliance frameworks. These include access controls, and encryption standards specified by ISO 27001, SOC2 Type II, SOC 3, GDPR, CCPA, and HIPAA. Compliance managers must be able to audit and report on compliance, as it relates to data stored in the cloud, with relative ease.
Incident response and recovery are key elements of cloud data security. If there is an outage, whether it’s due to a cyberattack, technical failure, or natural disaster, enterprises want the data restored as quickly as possible—and to the nearest possible recovery point (RPO).
This means using technology such as instant recovery, or “recovery in place,” which tries to get rid of the traditional recovery window by redirecting workloads to a backup server. By creating a snapshot and redirecting all user write operations to the snapshot, you create a pristine copy of the back-up data. Then, when users are working on the data from the backup virtual machine (VM), you can initiate a recovery process in the background. This is invisible to users, who are ultimately directed back to the original system.
Control over who has access to data is a critical aspect of cloud data protection. Indeed, user access controls are foundational to almost all cybersecurity controls. So you must have in-depth access controls that reduce the risk of unauthorized users gaining access to sensitive data. For example, role-based access control (RBACs) assigns each user a defined set of access privileges based on his or her role. So, an accounting team member can access accounting data, but not IP, for instance–enabling the Zero Trust principle of “least privilege.”
Cloud data security solutions confer a range of benefits on enterprises that adopt them. These run the gamut from enhanced data privacy to reduced cost of ownership for security and beyond. IT managers often find that they can simplify their security management with Rubrik.
Cloud data security enhances data privacy by protecting data wherever it lives in the cloud. With constant awareness of the type and location of data, storage and backup managers can be diligent in preventing data breaches that threaten the privacy of customers and others. Similarly, end-to-end encryption and immutable snapshots greatly reduce the likelihood and impact of data breaches that affect privacy.
Data cloud security is a budgeted line item like any other area of security. Solutions that reduce total cost of ownership (TCO) are therefore worthy of praise. A data cloud security solution should have a proven track record of cost-effectiveness. That includes a unified SaaS interface to improve the efficiency of backup management and cloud data security (leading to lower TCO) and the ability to transition backed up data to cost-optimized cloud storage tiers. Compression and deduplication further add to this benefit.
Cloud data security should offer continuous monitoring of data in the cloud. Round-the-clock awareness is useful and arguably essential for effective data protection in the cloud. Threats are constantly bombarding cloud instances, so permanent vigilance is required. In addition, cloud data tends to move around from one platform or cloud tier to another. As a result, a never-ending proactive approach is best for keeping it all safe.
SecOps and backup management lean toward complexity, which translates into cost and strain on people. Cloud data security must be able to be managed through an user-friendly interface and centralized control of complex security management workflows.
Data can be secure in the cloud, and today’s digital landscape makes such security imperative. Success depends on awareness of where data is in the cloud, what it is, and who has access to it. A cloud data security solution makes this happen. The solution must support hybrid and multi-cloud architectures. Rubrik meets these parameters, offering a cloud data security solution that’s centralized but also able to execute unique security controls such as immutable snapshots along with instant recovery.
Rubrik can help. Get the facts about Rubrik's comprehensive solutions for safeguarding sensitive data in the cloud.