The Journey to a Cloud Data Protection Strategy
The journey to a comprehensive data protection strategy should include a focus on enabling the business through security best practices and specific data protection use cases that are relevant. In essence, secure the data today while building and implementing the overall data protection plan for the future. This article highlights three specific data protection use cases that can be implemented as part of an overall strategy. To summarize these use cases:
- Insider threats: Detect and prevent malicious insiders from data exfiltration
- Phishing attacks: Mitigate impersonation with multi-factor authentication
- Data leaks: Detect and mitigate overexposed resources and assets
A General Approach to Data Protection
Data protection is a critical issue for all organizations that use the cloud to store data electronically. The goal of a comprehensive data protection strategy is to ensure the security and confidentiality of an organization's data while minimizing the impact of data breaches. There are a number of technical and organizational measures that can be taken to protect data. In general, these measures include data encryption, data backup and recovery, access control, and user education.
Data encryption is a process of transforming readable data into an unreadable format using a key or password. This prevents unauthorized access to data and protects it from being read if it is intercepted in transit.
Data backup and recovery refers to the creation and maintenance of copies of data in a separate location from the primary data store. This ensures that data can be recovered in the event of a primary data store failure.
Access control measures restrict access to data to authorized users only.
Network security measures to protect data assets, such as firewalls, and intrusion prevention and detection systems
User education involves providing users with training on data security best practices.
Organizations should also have policies and procedures in place for responding to data breaches. These should include steps for notifying affected individuals, investigating the breach, and taking corrective action to prevent future breaches. A comprehensive data protection strategy should be tailored to the specific needs of the organization and its data. It is important to regularly review and update the strategy in response to changes in the organization's data and security environment.
Data Protection Use Cases
Along with an overall data protection strategy, a focus on current company and/or industry specific use cases can provide meaningful short-term “wins” and milestones along the data protection journey. Businesses and organizations can use different security strategies to protect their data, depending on the type of risk and relevance to the business. For example, to mitigate the risk of an insider threat, a business might limit access to sensitive data to only a few authorized users. To protect against phishing attacks, a business might use two-factor authentication for its cloud-based applications. And to defend against data leaks, a business might assess its current deployment against industry standards and company policies.
Let’s look a little closer at each of them.
Insider Threat
An insider threat is a malicious threat to an organization that comes from within, from people who have authorized access to the organization's systems and data. Insider threats can come from a variety of sources, including disgruntled employees, malicious insiders who are looking to gain access to sensitive data, or even careless insiders who accidentally expose data.
To find and mitigate insider threats, organizations need to monitor activity on their systems and data. This includes monitoring user activity, tracking changes to data and configuration files, and monitoring network traffic. Organizations can also use data loss prevention (DLP) tools to detect and prevent data exfiltration by blocking sensitive data from being transferred outside of the organization. To find insider threats with DLP, organizations can use a variety of methods, such as monitoring employee email and web activity, tracking file transfers, and analyzing data usage patterns.
DLP programs can also include features that allow for the identification of anomalous behavior, which can be indicative of malicious intent. For example, Exabeam is a DLP vendor that uses machine learning on collected logs to develop user-behavior baseline patterns, including activity type, location, and other rules. As the activity deviates from the baseline, a risk score is assigned to that specific user for further investigation while overall user watchlists are created to understand company-wide patterns. An additional way to use Exabeam and the watchlist is for users exhibiting changing behaviors, such as suddenly resigning, to be added to the watchlist for proactive monitoring.
Phishing Attack
As an insider threat originates from the inside of the company, a phishing attack typically originates from outside the company in which a malicious actor pretends to be a trusted entity and attempts to trick a user into clicking on a malicious link or download in order to steal sensitive information or infect their system with malware. Phishing attacks can be carried out via email, social media, or text message, and often involve fake websites or attachments that are designed to look like they are from a legitimate source. A phishing attack can be used to exploit a vulnerable virtual machine in a few different ways:
- By tricking the user into clicking on a malicious link or attachment, the attacker can download and execute code on the virtual machine that can be used to plant malware or steal sensitive data.
- The attacker can also use the virtual machine to create a phishing website that looks identical to a legitimate website. When users visit this website and enter their login credentials, the attacker can then steal this information.
- If the virtual machine is not properly secured, the attacker can also gain access to the underlying infrastructure and plant code that can be used to enable a C2 server. This would allow the attacker to remotely control the virtual machine and carry out further attacks.
Phishing attacks have become increasingly sophisticated and difficult to detect, making them a serious threat to businesses and individuals alike. Since they are increasingly difficult to detect, Multi-factor authentication (MFA) is an effective defense against phishing attacks because it requires users to provide more than one form of authentication to access a system or service. This makes it much more difficult for attackers to successfully impersonate a legitimate user, as they would need to obtain and correctly use multiple pieces of information and by requiring multiple forms of authentication, MFA makes it much harder for attackers to access systems and data. This can significantly reduce the impact of phishing attacks, as well as other types of cyberattacks. Identity providers like Okta can require MFA for users accessing company resources. While MFA is not a perfect solution, it is an important step in protecting against phishing and other types of cyberattacks. Businesses and individuals should consider implementing MFA to help defend against these threats.
Data Leak
A cloud data breach is defined as an unauthorized access or disclosure of confidential information stored in the cloud. A data breach can occur due to insider threats and phishing attacks. Additionally, a data breach can occur due to a data leak, where an attacker finds sensitive data that is overexposed and exploitable.
Data leaks are either unknown data exposures, or known exposures that either have not been mitigated or the risk of the exposure has been “accepted” by the Governance, Risk, and Compliances (GRC) team and business owners. Data leaks occur due to various factors, including:
- Misconfigured settings: Data is accessible by untrusted entities
- Software vulnerabilities: Unpatched systems may allow bad actors to access sensitive data
- Weak passwords: Data may leak due to easily guessable passwords or lack of MFA
To identify data leaks, a vulnerability scanner from companies like Tenable, Palo Alto Networks, or Wiz, can be used to identify these data leak risks when comparing against industry standards or company policies. With data leaks found, mitigation steps can be developed and implemented through automation tools such as Terraform and Ansible.
Summary
Based on the company's unique business need, other data protection use cases may be more relevant to address. In any event, the framework remains the same and the goal of this strategy is to address the data protection needs of the various business units and stakeholders as needed, and use these use cases as building blocks and components as the journey to a comprehensive data protection strategy continues forward.