The fourth pillar to actionable cloud security - Data Protection
This post is the sixth in a series of eight on the five pillars to actionable cloud security. For the rest of the series, visit the Five Pillars blog page here.
That data moves into and through the cloud might seem obvious, but it raises new security requirements. The very notions of data-in-motion and data-at-rest become blurred. As an example, data protection for a network is often equated to backup, but this is overly simplistic. Data backup is a snapshot in time of selected, any, or all data in a cloud infrastructure. This is data at rest, and as such, it is only accurate at the point of the backup. When backups are deployed to rectify a compromise, i.e., a data restore, significant time may have elapsed between the date of the most recent backup and the data restoration is initiated. All the data between those two times is essentially unprotected.
Recent legislation such as GDPR has forced security professionals to look beyond the protection of data at rest, and address the much more difficult task of protection data in motion (i.e., data in transit). Data in motion is very often data moving out of the network, or between nodes, and as such can be vulnerable to malicious activity during the act of transport.
Encryption is the most popular method of protecting data both at rest and in transit, but it is not a total solution. Network security controls add another layer of protection, as do data policies. Data that has been classified as at-risk can have specific policies applied to it whenever such data is accessed or moved, ranging from alerts to full blocks against access or transit.
There are other data conditions which need to be considered as part of data protection as well. One of these is archiving. Even though archived email is clearly data-at-rest, it still needs to be considered within the overall protection scheme. Another consideration is ongoing threat scanning. Scans need to look at all data, not simply data in motion. It is very common to find emails with latent threats in the trash or spam folders; recognizing that these contain latent threats is important to ensure that someone doesn’t inadvertently open them and trigger malware.
Within the Azure infrastructure, the products and services identified here need to be considered as part of an organization’s Data Protection pillar.
To develop an actionable Data Protection pillar, customers must:
- Have complete visibility of information and data stored in Azure
- Controlled versioning of data
- Protect data at all times
- Encrypt their data at all times
In the next blog in this series, we’ll dive deeper into the 5th pillar, IR (Incident Response).