By Neeraj Nayak, Senior Manager, Product Marketing at CipherCloud
In today’s era, a cloud-first strategy has become the new norm. Providing competitive advantage with improved business agility at lower infrastructure and deployment costs. Cloud services are gaining significant inroads in the industry, with enterprises deploying multiple clouds to meet their business needs. But this has brought forth an interesting challenge – remote workers are collaborating freely in the multi-cloud environment without visibility or protection of traditional on-premises security. The sensitive data today may reside across multiple apps, databases and personal devices, and without proper visibility, enterprises run the risk of compliance failure, security vulnerabilities and data breaches. While enterprises keep adding more cloud services to maintain business continuity, it is of paramount importance that they first take a step back and get an assessment of archived or historical data that has been residing in their cloud for years. Only then can organizations answer the two most important questions; Are we compliant and who has access to our sensitive data?
Sometimes it’s ok to look back at the past
What’s historical data? Let’s say you are using Salesforce for the past few years to store the CRM records of all your customers. Due to an uptick in the threat vectors in the cloud, you decided to upgrade the security posture of your Salesforce account and adopted a cloud data protection solution to encrypt all the confidential customer records in the cloud. Does that make your cloud environment secure, protecting your data from all future cloud breaches? The answer is a resounding NO. While you did an excellent job in identifying a data protection software to perform a real-time check on all the current and future data going into the cloud, what about the records that have been already residing in the cloud for the past few years? How are they protected? A quick scan of that historical data will reveal multiple vulnerability points and a lack of compliance with the latest data privacy laws. The Shared Responsibility Model for cloud security states that the end-user owns the data in the cloud, and that data needs to be managed and protected right from creation to deletion. So what is the first step towards enabling continuous data visibility and protection?
Cloud Data Discovery (CDD) allows organizations to discover and classify data already stored in leading SaaS applications. While the first versions of CASBs focused on the data going into the cloud, they lacked the visibility into the data that was already stored in the cloud. With Cloud Data Discovery, organizations can scan historical data across multiple cloud apps, right from field-level information in structured clouds, such as ServiceNow and Salesforce, and unstructured data, files in collaboration apps, such as Office 365, Slack and Box.
Fig. Results of Cloud Data Discovery Scan
Cloud Data Discovery best practices
- Classify sensitive content: Not every data hosted in the cloud is equally sensitive. The importance of data varies from its access level to the collaboration within users or between cloud apps. Define policies to classify and label the data (“confidential”, “important”, “sensitive”, “private”, etc.) to pick out the needles from the haystack.
- Set up DLP policies: While out-of-the-box DLP templates cover a wide variety of standards to identify PII, PHI or financial data, you can also create custom templates to take advantage of constructs such as regular expressions and keywords. Next-gen CASBs, such as CASB+, also support Optical Character Recognition (OCR) to scan images for sensitive data violations, such as credit card and driver’s license numbers.
- Assess security posture: Almost daily, there is a new report on an organization that has lost control of its data through innocuous means, such as public sharing. Intuitive Cloud Data Discovery dashboards provide drill-down details on the historical file scans, along with the number of existing violations. Post this discovery, the admin can take action to remove the files or limit their exposure.
- Schedule the scans: Cloud Data Discovery scans can be performed via a periodic scheduler or on an ad-hoc basis, and as a full or incremental scan, to determine data compliance with GDPR, CCPA, HIPAA, and other regulatory laws. Once out-of-compliance data is recognized, the data can be triaged immediately or flagged for manual remediation.
With an increasing focus on data privacy and the introduction of laws such as GDPR and CCPA, securing data has been the front and center of every organization with a cloud-first strategy. Now, more than ever, you need to ensure that not only the current but also your historical data remains compliant with the latest data privacy and protection laws.