What is cloud data protection?
Cloud data protection is a model used to protect stored, and moving data in the cloud. It was created to implement data storage, protection, and security methodologies for data residing in and moving in and out of a cloud environment. This stored data is also known as data at rest, while the moving data is also known as data in motion.
Just a few years ago, this wasn’t an issue. Previously, users were on the network, and data and applications resided centrally within the data center. Access to the data was strictly controlled by IT and usage was well known. Today, most of a corporation’s data no longer resides in the data center, thanks to the cloud.
Along came the cloud
Organizations began adopting cloud services, such as SaaS, for the tremendous benefits such a move offers, including more collaboration across individuals and lines of business (LOBs), accelerating the speed of business and reducing costs.
This meant that data and applications are now outside the data center and running in someone else’s infrastructure. This has also enabled users to work remotely more often, as the connection between users and their applications is no longer the data center—it is the internet. As data has moved out of the central data center, it has also moved away from the traditional security infrastructure, increasing an organization’s exposure to cybercriminals and advanced threat attacks.
Unfortunately, bad actors continually revise and update their schemes and attack patterns attempting to get your data. More than 3.2 million records were exposed in the 10 biggest data breaches in the first half of 2020, according to information compiled by the Identity Theft Resource Center and the U.S. Department of Health and Human Services. In May 2020 alone, the Identity Theft Resource Center saw a total of 108 data breaches, accounting for more than 841,529 sensitive records exposed.
Your data is the currency of cybercriminals. Once obtained, cybercriminals will often hold an organization’s data for ransom, typically demanding some form of cryptocurrency (most commonly, Bitcoin). Or they sell this information on the dark web to other bad actors who compile this information as part of a large-scale account takeover attempt. Or they use it for their own account takeover schemes.
By year-end 2022, more than 1 million organizations will have appointed a privacy officer (or data protection officerGartner, 2020
I needed to do something to prevent data loss without completely blocking access to webmail. How can I get this risk to an acceptable level? With Zscaler’s cloud application control, I was able to restrict the uploading of attachments to all the major webmail clients. It was the perfect marriage of both worlds.Brad Moldenhauer, Director of Information Security, Steptoe & Johnson LLP
Securely enabling this new reality of distributed data and cloud adoption across the organization isn’t simple and presents a number of challenges.
- Encryption—Encryption has shifted from the exception to the norm in an attempt to ensure secure transactions to the internet and cloud applications. In fact, according to the latest Google Transparency Report, 95 percent of the traffic that Google sees is encrypted. If your data protection solution isn’t classifying and controlling data in encrypted traffic, you will be missing the majority of sessions in which data exposure and misuse is a possibility. This is especially true of SaaS applications that rely on secure, encrypted connections to the application for exchanging data.
- Protection gaps—With data becoming distributed across SaaS and public cloud applications, and each of them being created and maintained by individuals and LOBs across the organization, controlling data can be daunting. Unfortunately, many of the tools developed to address data challenges are focused on a single application type or deployment. For example, a cloud access security broker (CASB) service is used to secure SaaS applications, while a secure web gateway (SWG) with data loss prevention (DLP) is used to secure internet applications, and cloud security posture management (CSPM) is used to secure public cloud applications. Each of these provides a partial picture of data protection across the organization, but there are gaps between products and teams that can lead to complexity, redundant functions across teams, and gaps in visibility and control over data exposure across applications.
- Limited control—IT must ensure the business is enabled to use cloud apps and services while ensuring that they can do so safely. This means that the focus shifts from black-and-white decisions on access to more granular usage visibility and control. The challenge is that most data protection options offer limited information to help organizations make decisions about the use of data in the cloud. Without full context—who is attempting access, the user’s location, the state of the application—it is impossible to offer the granular control needed to enable effective and safe data usage.
- User experience—Diverting internet traffic through the security devices in your legacy infrastructure results in slower application performance and frustrated users. Adding the number of appliances necessary to improve performance would be costly and highly impractical. In addition, legacy architectures weren’t designed to handle a sudden increase in remote access in times of crisis or to accommodate a growing anywhere workforce.
The secure access service edge is an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS, and ZTNA) to support the dynamic secure access needs of digital enterprises.Gartner, The Future of Network Security Is in the Cloud
The need for cloud data protection
The shift to the cloud has completely changed the role of IT from a local security enforcer to a global business enabler, allowing safe cloud adoption and data distribution, while preventing data exposure and maintaining increasingly rigid industry and regulatory requirements.
To achieve this, IT leaders should look for a cloud data protection platform that provides unified data protection capabilities for internet, data center, and SaaS applications, and ensures that configurations in public cloud applications match best practice standards to prevent data exposure and maintain compliance.
IT leaders should also look for cloud data protection offerings that comply with the secure access service edge (SASE) requirements. SASE is a new security model defined by Gartner specifically to address the security challenges of the new reality organizations are facing. SASE recommends that data protection engines should be placed as close to the user as possible, preventing backhauling and a poor user experience
The ideal solution should be built from the ground up for performance and scalability. It must be a globally distributed platform, where users are always a short hop to their applications. And through peering with hundreds of partners in major internet exchanges around the world, ensuring optimal performance and reliability for your users.