In our latest ebook, The Data Leader’s Guide to Enterprise Cloud Security and Data Architecture, we talk a bit about cloud security controls. What are cloud security controls, and why do we need them?
Here’s a story: In 2013, internet giant Yahoo! suffered a security breach that compromised all 3 billion Yahoo! Accounts – the largest security breach in history. Not only that, Yahoo! didn’t disclose the breach until three years later. It nearly caused the company’s sale to Verizon to fall through. And it did reduce Yahoo’s sale price by $350 million. What’s more, the reputation damage for Yahoo! was incalculable.
Needless to say, this is every enterprise organization’s nightmare. Several times a year, we hear of a new security breach that exposes crucial data – social security numbers, passwords, credit card information, and more – to potential risk. The bigger the breach, the more damaging it is to a company. You need to protect your enterprise and your customers. Security controls are a critical part of doing that.
How do Cloud Security Controls work?
According to the Cloud Security Alliance, at the time of the 2013 breach, Yahoo! experienced failures across multiple security control areas. With data cloud security controls in place and working as intended, it’s possible to stop a breach from happening. And if it does happen, you can spot cloud security risks early, and contain the impact.
Security controls are important no matter where your data lives. If you manage data in an on-premises data warehouse, you need to be sure that the right security controls are in place. And if your data is in the cloud, they’re no less critical. However, responsibility for implementing and managing these cloud security controls can vary. It might lie with you, the cloud consumer. Or control may lie with the cloud infrastructure provider or the cloud service provider.
Regardless, to ensure that your business is using the cloud securely, you must do three things:
- Define an enterprise cloud strategy that establishes governance over how the cloud solutions data for business operations, analysis, product development and other functions.
- Within that cloud strategy, determine who should be in charge of ensuring that the right security controls and measures are in place, based on the requirements of your business.
- Ensure that networks, data, and applications in the cloud are correctly configured. No environment is secure if there is a misconfiguration.
The big cloud infrastructures and platforms have security and regulatory compliance measures in place. But what cloud security model aligns best with your security needs, and how you use the cloud securely, largely depends on your business.
Three types of cloud security controls
When dealing with enterprise cloud security, you want cloud security controls in place that will help you prevent, address, audit, and recover from any type of security threat or event. Cloud security controls can cover anything from firewalls to business continuity plans. Generally they fall into three categories: preventive, detective, and corrective controls.
Preventive controls help block security incidents from happening in the first place. They can decrease the likelihood of errors that enter your system. Preventive controls also prevent intruders, both internal and external, from entering the system.
Some examples of preventive controls:
- User authentication
- Data encryption (At Rest and In Transit)
- Role-based access
- Data storage zones (raw/quarantined/curated) with associated user-level access (for more on these, check out our Essential Guide to Data Lakes)
- Networking (SSL, VPN, Proxy, AWS Private Link)
- Security patching
- Data masking
- Policies and procedures
- Testing and validation during the software development life cycle (SDLC)
- Regular security scans (all levels of architecture, including data)
Detective controls can help verify whether preventive controls are working correctly. They can also identify a security incident in progress. These controls include:
- Data loss prevention services
- User audit logging
- Intrusion detection systems
- Application performance monitoring
- Security information and event management systems
Corrective controls are like fire extinguishers. You only need one if you have a fire. But then you desperately need it so a small kitchen fire doesn’t spread to the rest of the house. Corrective controls limit the extent of an impact if a security event occurs. They can include the procedures, guidelines, and instructions to follow in case of a breach. Corrective controls can also include automated systems that go into effect. Other corrective cloud security controls include:
- Blocking IP addresses of suspected threat actors
- Locking user accounts of suspected threat actors
- Disaster recovery plans
- Contacting authorities
For more information on cloud security controls and other measures to take, questions to ask, and things to know, download our latest ebook, The Data Leader’s Guide to Enterprise Cloud Security and Data Architecture.