Data security in the era of hybrid and multi-cloud

Modern-day enterprises are built and groomed around data. The vast amount of data (user, business, and IP-related), spread within and beyond the perimeters, is redefining businesses.

Cloud is the enabler and force multiplier in this whole scheme of things. Business decision-makers have recognized the value of the cloud beyond the conventional areas of agility and efficiencies to drive new product development, innovation, and sustainability, where data is key. Cloud adoption amplifies data-driven capabilities, such as data collection, enhancements, visualizations, and predictive insights.

Cloud also disperses data across SaaS, PaaS, IaaS, and on-premise, making it complicated for IT and security leaders to manage data security. In a recent study by a leading cloud service provider, more than 50 percent of respondents did not seem to have any cloud data security tool to monitor threats and exfiltration. Lack of visibility and understanding around shared responsibility and vulnerabilities from improper configuration and unsecure APIs render the data unsecure. Data breaches are rising at an alarming rate, which puts an organization, its entire value chain, and customers at risk. In addition, regulations are tightened across the globe around data protection and privacy, with penalties in place.

However, it is not just about penalties. A customer’s brand perception is based on trust, where upholding the highest standards of ‘data responsibility’ creates trust in a way product safety and efficacy would.

For organizations to rightfully use the value of their data programs, securing data throughout its lifecycle and across cloud platforms and endpoints, is necessary.

A few considerations to improve data security in today’s multi-cloud environment include the following:

• Knowing that security is a shared responsibility of customers and Cloud Service Providers (CSPs) – While physical security and host infrastructure are largely the responsibility of a CSP; data classification and accountability, end-point protection, and identity and access management largely fall on a customer’s shoulder. Even different storage options by a CSP may have different options for encryption. It is important to know what native capabilities for encryption, data masking, tokenization, etc. are provided by a CSP, and assess for additional requirements based on regulations or enterprise risk appetite.
• Data residency and compliance requirements – Of 194 countries, 137 have data protection and privacy legislation, according to the United Nations Conference on Trade and Development (UNCTAD). Understanding the mandates around the collection, storage, and processing of citizen and resident data is extremely important. In India, while the privacy bill is still being mulled over, localization requirements already exist under specific directives, such as the one issued by RBI in 2018. Organizations must choose their cloud services with an understanding of data residency, data protection, and other compliance requirements (such as GxP requirements in pharma, PCI DSS in the payments industry, etc.).
• Enhanced visibility and unified cloud management – In a hybrid and multi-cloud environment, complete visibility onto a single pane helps in better management, utilization, and in improving overall security. Using the power of automation, orchestration, and AI to manage and review logs on a single unified dashboard, can improve security and vigilance on the cloud. Organizations could consider tools such as Cloud Security Posture Management (CSPM) to automatically assess compliance with security policies and standards and detect and remediate issues (such as compliance violations, any possible threats, misconfigurations, and unauthorized access/insider threats). CSPM tools, through greater and unified visibility across cloud assets, help in identifying and remediating issues related to encryption, key management, identity, access, etc.
• Focus on data resilience – Last year, an energy company in the US claimed to have lost 20-25 years of data after a cyberattack. Imagine IP-related data being stolen and completely wiped out in a research-centric organization, or an organization in the critical infrastructure sector where real-time data powers the whole supply chain. In such organizations, even the slightest delay in data availability can lead to losses and chaos. Multi-layered defense, multi-level data resilience, and incident management with business continuity drills can prepare organizations for such scenarios and create a strategy for minimum downtime and seamless rebound.
• Zero Trust Access (ZTA) – The possible panacea to modern-day cyber threats emanating from the cloud is to align to the ‘never trust, always verify’ approach. In addition, helping users securely connect to applications (irrespective of wherever they reside) is important. The ZTA helps overcome implicit trust and uses a risk-based approach that involves verifying each connection and implementing granular access control. A cloud-native broker that works on the principle of connecting users to applications instead of broader network access; with a continuous authorization process aligned with contextual security information; and built-in data protection could be seen as a game changer in enterprise security.

It always helps to have a structured approach to the cloud. Going forward, 5G will open more avenues for connectivity, data generation, and distributed computing, while increasing the attack surface for exploitation.

An organization must use the cybersecurity lens right at the onset of transformation to comprehend various ways in which the confidentiality, integrity, and availability of the data could be compromised, and implement the right strategy to protect the data.

The article has been authored by Gaurav Shukla, Partner and Leader – Cyber, Risk Advisory, Deloitte India and Manishree Bhattacharya, Manager, Risk Advisory, Deloitte India