How to Protect data in a hybrid cloud environment
The past few months are unbelievably instructive on the important importance of keeping one’s information safe, be it client information or your own belongings. information protection itself covers a broad span:
>Be aware of your environment
>>Prioritize risk management
>>Physical information protection
>>Protection from device failure
>>Protection from data loss and breach
>>Use Hardware and Best Practices to Protect Cloud Data
1) Prioritize risk management
“The opportunity to secure ourselves against defeat lies in our own hands.”
After assessing the state of your hybrid cloud environment, you may identify a number of vulnerabilities. That doesn’t mean you need to fix everything at once; identify which vulnerability presents the greatest risk and remediate it first, and completely. Deploy or consume tooling to continually asses the risk profile of your cloud assets.
2)Be aware of your environment
“Know thy enemy.”
It is also important to understand the type of space you are in, what specific threats there are and what, if any breaches, have occurred in your industry. Be able to explain why another company’s data was compromised so you don’t make the same mistakes.
Enterprise cloud solutions are often a hybrid, a mix of private cloud and public cloud environments. For the hybrid cloud, investment in state-of-the-art hardware will add layers of security to the cloud environment. As mentioned previously, security is needed in three places: entering or exiting the corporate network, entering or exiting the cloud provider and within the cloud itself. Let’s look at some of the hardware essentials and best practices for these areas.
3)Physical data protection
Cloud protection starts with physical security protecting against theft, loss, accidents, power failures and natural disasters. Cloud data centers are physically secure, often in remote areas, with multiply redundant, backed-up power supplies, redundant telecom connections, have secure building physical security with controlled access and their size and nature of storage management makes it near impossible identify the physical location or device storing any one organizations data. By comparison many enterprises at best tend to have a single data center, while SMEs might just have an in-building server room or data closet. Very small companies may just have a NAS sitting unprotected on site.
To protect against physical data loss, it essential to have a physically separate offsite backup copy. Unsurprisingly, simple data backup to cloud is the oldest application and until the advent of big data with cloud compute one of the largest consumption of cloud storage.
4)Protection from device failure
The next stage is protection from data loss stemming from device failure. No matter the storage medium, there is always the risk of device failure, and with HDD its inevitable and Flash devices used in SSD will wear out. RAID technology was developed to protect against drive failure although with very large drives, RAID is increasingly less effective. For traditional storage, best practice in the industry is to follow a 3-2-1 backup strategy – backup to a second device and then backup to offsite. This quickly becomes expensive both in hardware and IT time spent on maintenance, time that could be spent on strategic business initiatives.
A variant of data loss is inadvertent or malicious deletion of data. Over time users, and even IT managers, utilizing file hosting and collaborative solutions such as Dropbox and Office 365 have become so accustomed to cloud reliability they assume files are always available. However, if a file is deleted it is only available for recovery for a short time. A 2015 study by EMC found the top causes of data loss were accidental deletion (41%), migration errors (31%) and accidental overwrites (26%).To protect against this several new products that provide cloud backup are becoming available especially for Office 365.
5)Protection from data loss and breach
The third part of data protection is Protection from Data Breach incurred through human behavior. Many data breaches and even ransomware incidents start with phishing attacks through social engineering. Another problem especially with file hosting solutions is Shadow IT where employees upload restricted data to an unauthorized personal cloud file hosting application – such as Google Drive, OneDrive or Dropbox.
Many of these do NOT deliver encrypted end-to-end traffic, although this might be expected from more consumer-oriented services. The bigger issue is all these services readily facilitate file sharing and now IT has no knowledge of what files have been shared and with whom. This can easily violate industry compliances like CJIS
(Criminal Justice Information Services), FERPA
(Family Educational Rights and Privacy Act), HIPAA
(Health Insurance Portability & Accountability Act), MPAA
(Motion Picture Association of America) and GDPR
(General Data Protection Regulation).
6)Use Hardware and Best Practices to Protect Cloud Data
For data entering and leaving the network and cloud:
Next Generation Firewall. As an Internet gateway, a next gen firewall (NGFW) enables visibility and protection against external threats and Internet activity.
Internal Segmentation Firewall. This type of firewall provides visibility and protection for internal segments inside the access layer.
Intrusion Prevention System (IPS). Protects networks from both known and unknown threats, blocking attacks that might otherwise take advantage of network vulnerabilities and unpatched systems.
: Detects malicious content and abnormal behavior in Web-based applications.
: Inspects Web traffic and blocks malicious traffic from Web-based threats.
Virtual Private Network (VPN)
:Enables the establishment of secure communications and data privacy between the cloud environment, internal servers and endpoint users.
Security Architecture. Built to enforce separate policies on traffic.