The following appears as a chapter in our eBook: “The CISO’s Guide to Cloud Data Protection: A New Approach for the Modern Security Leader.”
The entire eBook is available here, and covers a wide range of topics, including a primer on cloud application security considerations, a breakdown of the two schools of thought regarding how to approach securing data within cloud applications, actionable tips to get started, and more.
Given the number of moving parts in today’s dynamic cloud ecosystem, coupled with the competing philosophies on how to best protect sensitive data, developing and implementing an effective cloud security program can be a daunting task.
Fear not! Simply follow these actionable steps optimized for a comprehensive cloud application security program.
Cloud Security Step One: Determine Scope
First, determine the scope of your efforts and where your responsibilities reside. SaaS providers excel at securing infrastructure as well as providing activity audit logs and security APIs. Your enterprise, then, is left responsible for putting safeguards around user behavior – creating and enforcing policies specific to the organization’s unique nature. Take inventory of your environment, determining what cloud applications are present in the enterprise and what potential user behavior requires attention.
Cloud Security Step Two: Define Policy
Establishing policy starts with determining what data or behavior you are concerned with protecting – and in what context. Compliance regulations, data protection, and organizational data governance considerations all come into play here. Once you understand this, develop intelligent policy against which to surface incidents worth investigating.
For example, if data within a cloud application in your environment contains payment card information, be sure to define a policy to surface instances where it is found. If you’re in the manufacturing industry, intellectual property is likely a concern. Healthcare providers are concerned with personal medical information, and so on. Don’t forget context; for instance, you may only be concerned with externally or publicly exposed instances of the above examples.
Cloud Security Step Three: Monitor
The instantaneous and interconnected nature of cloud applications accelerates data flow, and the security response should be aligned accordingly. Once a policy is defined, make sure to monitor your entire cloud ecosystem continuously to surface incidents of policy violation swiftly. By continuously monitoring both structured and unstructured data, organizations reduce the time-to-detection factor and mitigate risk through rapid response.
Cloud Security Step Four: Involve Your Users
Depending on how they are treated, users can either be a security team’s greatest asset or biggest source of headaches.
To avoid the latter, proactively educate users, rather than rely on paper policy. Make users feel heard, and institute user-sensitive policy accordingly. For instance, if your business partners require access to a particular third party app for work-related purposes, be sure to allow them access – without sacrificing organizational security by enabling it for the entire organization.
In the event of a policy violation, rather than blocking and tackling, or modifying a user’s files in the name of security, work with the user. First, notify the user, explaining why a policy violation occurred, and empower them to rectify the situation themselves. In doing so, security teams create an educational feedback loop capable of enforcing positive behavior.
Cloud Security Step Five: Practice Ongoing Security
Securing an enterprise is an ongoing, iterative process and needs to keep pace as technology, user behavior, and threats all evolve. Be sure to reevaluate policy and security practices based on finding and feedback along the way. For instance, provide users with an opportunity to express their business requirements for certain applications on an ongoing basis.
Then, regularly evaluate their needs along with the relevant security concerns to make appropriate decisions. Additionally, as sensitive information varies not only from organization to organization, but also from month to month, be sure your policies are constantly updated to ensure detection. For example, a manufacturing company’s intellectual property may update continuously, and security teams must be armed with this information in order to prevent a data leak.
Ready for More?
- Learn the characteristics and priorities of today’s forward-thinking security leaders
- Obtain actionable guidelines to initialize and execute an effective cloud security program
- Be empowered to bring it all to life with a formula to measure the impact of security efforts in every organization