Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. In this feature, Seagate Technology’s CISO and VP of Information Security Brad Jones offers the essentials of understanding cloud misconfiguration breaches.
Cloud misconfiguration is a key data security and privacy challenge. Even a small configuration error could mean an employee is an accidental click away from exposing an entire database and opening the organization up to regulatory scrutiny, financial repercussions, and reputation damage.
It is more difficult for organizations to maintain data security and privacy if they fail to put the right controls in place at the beginning of their multi-cloud journey. Poor security practices from one cloud can be multiplied and exacerbated across a hybrid or multi-cloud environment, creating a misconception that the cloud is inherently insecure. However, multi-cloud may not be the problem—misconfiguration often is. With comprehensive classification and the right controls, the cloud can be more secure than on-premises storage.
Cloud Misfiguration Breaches: The Essentials
Achieve Full Visibility with Comprehensive Data Classification
A comprehensive data classification strategy is essential for maintaining data privacy, but implementing one is easier. Many organizations do not fully understand where their data is stored, let alone how it should be classified. Organizations should start with the various native features cloud service providers offer for data classification to enable better visibility and help maintain privacy.
This could be as simple as a tag on a server or storage location mapped to the most sensitive level of data that an application contains or a more granular object or database level of classification offered by some platform-as-a-service providers. Organizations starting a new cloud journey should build data classification into the design from the beginning and leverage the platform’s capabilities. Organizations already in the cloud must take inventory to understand what features they are not yet leveraging and deploy them to maximize control.
Prevent Exposure with Multiple Security Layers
Companies should leverage several security safeguards to protect their cloud deployments, including cloud-native security, zero trust, and data encryption. Cloud service providers manage the underlying security infrastructure, so companies deploying to a cloud can leverage a shared security model in which they manage services and security on top of the layer supplied by the cloud provider.
Zero trust can help companies stop unauthorized individuals from accessing sensitive data and protect against data breaches. A zero-trust security model continuously verifies who users are and what applications (and therefore what data) they have access to, as well as the device and network they are using. This helps minimize the risk of an external actor accessing critical information or an internal stakeholder mishandling data. Data encryption is a critical layer for data privacy and security that can help ensure data confidentiality and integrity when other controls fail. Organizations should encrypt data while at rest and in flight and should ensure that the keys are maintained securely (and not with the data itself).
Manage Access and Control While Driving Innovation
Once clear data classification standards and the right security layers are in place, organizations must implement controls that provide appropriate access to the various categories of data. Security teams and key stakeholders from across the organization should collaborate closely. They need to make sure employees have access to all the data they need to be efficient and effective while also maintaining data security. In the cloud, everything ties back into an API so there is a record of all activity, giving the cloud
a competitive edge over on-prem data storage when it comes to maintaining visibility and managing data access. Importantly, the security team can also access the logs of who signed in and from which device and what data they accessed.
Some organizations are concerned that too many processes and controls will impede the free flow of data and delay operations. However, data privacy controls are good for business—and not just because they reduce regulatory scrutiny and risk. Compliance with data security and privacy regulations helps unlock innovation by driving efficiency. The common systems and controls that come with good data security and privacy strategies help enable knowledge sharing across an organization, which gives employees the information they need. With ready access to critical data, employees are more efficient and make more informed decisions, ultimately driving better business outcomes.
Brad Jones
Brad Jones is the CISO and vice president of information security at Seagate Technology. He has served in this role for the past five years, with global responsibility for all aspects of information security. He has held similar roles leading information security at Synopsys and SanDisk.
