Having control of any complicated computing environment is hard enough when it’s entirely contained within your organization and on premises. But having control when it’s spread across hundreds of different applications both internal and external and across various cloud platforms is a whole other matter. 

According to Cybersecurity Insiders’ 2022 Cloud Security Report

  • Nearly half (47%) of organizations cite “loss of visibility and control” as one of their biggest challenges around securing multi-cloud environments. 
  • Almost a third find “implementing continuous and automated security controls in the cloud” to be one of their biggest operational day-to-day headaches around trying to protect cloud workloads. 
  • And more than 20% cite “loss of control” as the biggest barrier to cloud adoption in their organization. 

Controlling cloud data for the sake of keeping it as secure as possible isn’t easy, but that doesn’t mean a) It can’t be done, or b) It can’t also be made easy, or at least, easier, via best practices. 

In part 2 of our three-part cloud data security blog series, we discussed the issue of complexity. In part 3, we’ll discuss the issue of getting control. 

What Are the Different Types of Cloud Data Security Controls?

There are four general types of cloud security controls, each pertaining to the before, during, and after of an attack: 

  • Deterrent controls, which are intended to keep malicious actors away from a cloud system. 
  • Preventive controls, which companies use to manage, strengthen, and protect vulnerabilities within a cloud.
  • Detective controls, which are used to identify or detect an attack.
  • Corrective controls, which help reduce the after-effects of an attack.

The ideal, of course, is to never, or almost never, have to implement controls at the corrective stage because you’ve done so well with implementing them at the deterrent and preventive stages. 

How to Get Control of Your Cloud Data Security

  • Develop solid data governance 

A major part of effective cloud data security is proper data governance. Data governance is the process of managing the usability, integrity, availability, and security of enterprise data according to internal standards and policies. Effective data governance ensures data stays consistent and trustworthy and doesn’t get misused. 

Create cloud data governance policies that outline what types of data can be stored in various cloud environments. Data can be stored securely in the cloud, but you need to pay attention to how, when, and by whom it’s accessed because that’s what will typically lead to cloud data security issues. The governance policies you put into place before your data is even in the cloud will dictate the who, how, why, and where of your cloud data access. As an example, you should always require security verification (authentication and authorization controls) for downloads to and from unsecured devices. 

  • Create good technical controls

The next thing you need to do to secure your cloud data is to create proper technical controls, such as encryption. With cloud-based encryption, the cloud provider generates, manages, and stores the keys used to encrypt and decrypt data at rest. 

In a Bring Your Own Key (BYOK) scenario, the customer generates and manages the encryption keys, but the cloud provider has access to the keys and can use them to encrypt and decrypt data.

With Hold Your Own Key (HYOK), the customers generate, manage, and store encryption keys in their own environment. The cloud provider does not have access to the keys and is, therefore,blind to the contents of encrypted data.

Some companies take a HYOK approach to all sensitive data, in which case the cloud is used only for storage. Most organizations, however, require additional cloud capabilities such as online collaboration and search for at least some of their sensitive data. In these cases, a hybrid approach is usually the best bet. Data an organization considers appropriate for cloud-based use is encrypted with keys the cloud provider holds. Data requiring maximum protection is encrypted with company-held keys to render it unreadable by the cloud provider. 

Remember that your data should be protected both “at rest” and in transit. A great way to make sure it’s protected no matter what happens is through solutions like Pure Storage® SafeMode™, a high-performance data protection solution built into FlashArray™ that provides secure backup of all data. SafeMode is built into ALL Pure Storage products including FA, FA//C, FB and CBS

Also, Pure’s Cloud Block Store is a great way to consistently implement controls between on- and off-prem block data stores. It’s not just about consistency, it also implements additional security controls like SafeMode and encryption of data at rest (on by default with no additional key management).  CBS allows you to also setup truly zero RPO/RTO replication or near zero RPO/RTO replication between availability zones, regions, or even clouds using ActiveCluster and/or ActiveDR.

  • Do good configuration management

The third element of gaining control of your cloud data is good configuration management. Configuration management lets engineering teams create stable and robust systems via tools that automatically manage and monitor updates to configuration data.

Each service in a microservice architecture, for example, uses configuration metadata to register itself and initialize. In a complex configuration like this, it’s easy for configuration values to get lost in the shuffle or completely forgotten about, leading to the configuration becoming disorganized and scattered. 

Good configuration management solves this challenge by creating a centralized, “single source of truth” for configuration. This will allow your team to identify and collate all configuration data, establish a baseline that can successfully operate the dependent software without error, implement a version control system, and enable collaboration and visibility into the system’s configuration. 

You should also consider technology risk management and configuration platforms like Ivanti Neurons to attain consistency across multiple cloud environments and help gain visibility into potential areas of misconfiguration or additional risk in cloud platforms. A config management tool will help ensure consistency so that the “right” controls get implemented vs. what a developer might “think” is correct. 

Good configuration management also means having the right attributes for your security environment to make your configurations easy. If you have, for example, tens of thousands of options for configurations, no one will be able to be an expert on all of them. If you’re using infrastructure as a service (IaaS), constantly check and monitor your configurations, and be sure to employ the same monitoring of suspicious activity as you do on-prem. 

  • Invest in the right cloud data security tech 

Finally, good cloud data security comes down to investing in the right technologies. You already know that you can’t do it all by yourself, so you need to find the best possible solutions to protect your cloud data. 

The growth of the cloud has increased general Kubernetes adoption, which has increased demand for Kubernetes data protection. The problem is that most businesses don’t know how to protect their containerized applications. In fact, according to IDC, 75% of customers wrongly believe they can back up containers the same way as their other applications. 

The hard truth is that customers need something more granular than VM-level snapshots to reliably restore Kubernetes applications in production. 

Luckily, Pure’s acquisition of Portworx in 2020 has ushered in the next generation of cloud data security and protection. Pure customers can now get full Kubernetes data protection thanks to the release of a FlashBlade® appliance integrated with Portworx® PX-Backup. Pure FlashBlade’s Rapid Restore enables 270TB/hr data recovery speed. Combined with the container-level backup capabilities of PX-Backup, customers now have a way to quickly recover their containerized workloads in case of outages.

The FlashBlade-PX-Backup combo, Portworx, has been tested and certified for three key cloud data protection use cases:

  1. Customers running Kubernetes databases on any on-prem storage infrastructure can use the FlashBlade appliance as the backup target, with PX-Backup serving as the backup manager.
  2. Application backups on the FlashBlade appliance can be sent via PX-Backup to any S3-compatible cloud target for recovery in the cloud. 
  3. PX-Backup can continually sync two FlashBlade appliances at two different data centers for immediate failover.

In short, Portworx by Pure Storage provides a fully integrated solution for persistent storage, data protection, disaster recovery, data security, cross-cloud and data migrations, and automated capacity management for applications running on Kubernetes.

Get started with Portworx—try it for free.