Companies are finding themselves increasingly dependent on a growing number of cloud-based services, as business tools move to online platforms, such as infrastructure-as-a-service (IaaS) and software-as-a-service (SaaS). ). As a result, business data is often leaving network boundaries and being transferred to an external third party platform beyond the scope of internal access management systems.
data in the cloud
Data processing and management is an essential part of the modern enterprise, regardless of sector. Thus, it is incumbent upon all organizations to ensure that data is secure and is not shared or lost. It has also become a regulatory requirement in many countries. Data processing has become challenging as it is now often in the cloud.
No two cloud platforms are alike, as each platform offers its own distinct advantages and suitability for different applications and data processing. With organizations seeking to maximize their flexibility to meet changing market trends, they are increasingly relying on cloud platforms to support this.
“An average company uses about 25 to 49 tools from 10 different vendors,” says Nataraj Nagaratnam, CTO of cloud security at IBM. “A security and compliance platform that can integrate data from these tools and provide a pane of glass about the overall currency.”
However, ensuring that data is protected across a range of different platforms, and that access is managed appropriately, has become a time-consuming process. Just as every cloud platform is different, so are their access controls. It is therefore the responsibility of organizations to ensure that the correct controls are in place and deployed across all platforms that they use.
Not all datasets are equal, some are far more sensitive than others. For example, customer spending patterns may be commercially useful, but they are not as sensitive as financial transactions. “Public and internal data is not the same as confidential and sensitive data,” says Nataraj. “When [putting] With confidential data and critical workloads in the cloud, the security controls you need to implement increase.
Taking a data-centric risk-based approach is important, as it enables an organization to ensure that appropriate security controls are in place.
Risk Management in the Cloud
While encryption is important for protecting data in the cloud, an encryption key management system is arguably even more important. “The keys have become critical infrastructure,” says Nataraj. “We joke about it – encryption is for novices and key management is for professionals.”
As such, keys have become essential components of data security. Although data can be protected through encryption, if the associated keys are not secure enough, the data will still be vulnerable to attack. A zero-trust approach must be taken to ensure that the risk to the keys, and therefore the data they protect, is minimal.
Nataraj Nagaratnam, IBM
A common flaw in the security posture involves issues with cloud platform access control. Problems can include obsolete accounts, such as when employees leave but their user profiles remain active; Unnecessary access permissions due to users changing departments and needing to access different information; and inadvertently providing access to external parties.
“The top mistakes are misconfigurations,” says Nataraj. “It is not only sophisticated attacks that are happening out there. It is mundane, simple misconfiguration, where basic security practices – for example, preventing public access to sensitive data stores – are not fully followed. Such situations More violations and attacks happen.
Managing access control in a multicloud network has become a complex process. Organizations are now responsible for ensuring that their security controls reflect risk and regulatory compliance. This complexity is not because organizations do not appreciate the importance of the data they control, but rather it is often a case of the security team not having the knowledge or time to ensure that the right controls are in place.
That’s why it’s important that organizations make access management systems easy for developers and understand the importance of uniform security controls.
Risk vs Vulnerability, Not Network vs Cloud
Organizations need to consider how they can minimize risk to their data, especially as they move critical workloads to the cloud. Given that data is now in the cloud, third party risk also needs to be considered for data security.
What are technical assurances [the] Cloud provider or a third party cannot access customer data or keys?” asks Nataraj. “That shift to providing technical assurance is at the core of data security and privacy.”
With data in the cloud, organizations need to adopt a risk-based and data-centric approach to security strategy. They can no longer treat their network as a reliable boundary and instead must focus on the sensitivity of their data. It is important to balance the sensitivity of information with the utility of accessing it in the cloud, and to put in place appropriate policies to reduce the risk of data.
It is important to accept that nothing is 100% secure and it is about if a hack will happen, not when. This may come across as a fatalistic approach, but assuming that being hacked will never happen, and therefore failing to put contingencies in place for worst-case scenarios, puts an organization and its data at significant risk. So it is prudent to have actionable and tested plans for such instances.
Managing Access Control with IAM
Deploying an identity and access management (IAM) system allows organizations to have a single management interface to control access to their various cloud services. No longer managing user profiles in each separate cloud platform, IT teams will be able to efficiently control identity management, allowing them to focus their attention where it’s needed most.
An IAM system overlay would also enable audit of information controls across multiple cloud platforms. It will be able to monitor when and where information is being accessed, as well as identify any unusual activity in the cloud.
Having a codified set of standards that define security controls and access permissions on a cloud platform is central to an integrated identity and security management system. “It’s not just a set of policy documents that say, ‘You must protect data’,” says Nataraj. “It needs to get specific prescriptive controls that say, ‘this is how you protect your data’.”
Automating this process allows new cloud infrastructure to be built with baseline user permissions. This ensures that there is a consistent and repeatable approach to information management, embedding the organization’s security and data protection policies across the network. It also has the advantage of increasing the organization’s agility in responding to new opportunities and reducing project lag, especially at the outset.
While automation can reduce the risk of misconfiguration through poor communication and human factors, there must always be a human in the loop to ensure network oversight. This will ensure that there is consistency in the way an organization takes advantage of automation at scale, while also ensuring that there are no deviations from established access controls.
Automating an IAM system can be coordinated with a network’s intrusion detection system (IDS) to further audit access control across an organization’s network and cloud platforms. These can flag suspicious network activity to network administrators, their responses can be fed back into automated IDS to refine machine learning threat detection algorithms.
data protection regulation
With an increasing number of cloud-driven business platforms, managing access across these diverse platforms has become an ever-increasing challenge. It has come up with the latest data protection regulations including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
Data protection laws now not only require organizations to have appropriate policies in place to protect user data, but also require that these policies allow access to the information to be controlled and audited. An IAM system overseeing a multicloud architecture makes access control fully auditable, regardless of how many cloud platforms and services the organization uses.
Regulatory oversight continues to increase with the expansion of existing laws and the development of new data sovereignty laws. This will continue to make information sharing and data processing a complex area. Recognizing how these changing regulatory trends evolve will enable the preparation of appropriate mechanisms to ensure that data continues to be shared and processed in a manner that is consistent with relevant data protection regulations.
Risk Management and Compliance with IAM
Organizations are increasingly relying on cloud-based services to meet their business needs. It is therefore vital that an integrated IAM system is in place to ensure that appropriate access management systems are in place, as this will allow organizations to take advantage of cloud services while ensuring they remain compliant with data protection and data sovereignty legislation.
This news is auto-generated through an RSS feed. We don’t have any command over it. News source: Multiple Agencies: hindustantimes, techrepublic, computerweekly,