Data protection in cloud services
Storing data in the cloud, raise questions regarding data protection.
Data can be customers’ data (PII, healthcare data, credit cards, etc.), company data (financial information, trade secrets, security vulnerabilities, etc.), or any information with value to our organization.
As in the traditional data center, we still have concerns regarding who has access to our data and what can he do with the access provided.
In this blog post, I will review the required controls for protecting data stored in cloud services.
Data discovery and classification
The first action we need to take regarding sensitive data is discovery and classification.
Data classification is the action of assigning labels or categories to our data, such as public information, internal, confidential, highly confidential, etc.
Discovery tools allow us to detect where we store sensitive information in storage locations such as object storage, file storage, databases, and more.
Examples of services for the discovery process:
· Amazon Macie — discover sensitive information stored in Amazon S3 buckets.
· Microsoft Purview — map and discover data on-premise and in the cloud.
Entitlement
Entitlement deals with the questions — who has access, to what resources, and what can he do with his access rights?
In any access request, we should always make sure the identity (human, service account, computer account, etc.) is authenticated against our system, preferably using a central identity provider.
Once the identity is authenticated against our system, we need to make sure it has proper access rights to take the exact number of privileges required to accomplish its desired task, according to the principle of least privilege (such as view configuration, read customer data, update records, etc.)
Entitlement combines authentication with authorization.
Examples of services for entitlements:
· AWS IAM Access Analyzer — detects AWS resources with permissions belonging to external identities and generates least privilege policies.
· Azure AD Identity Governance — assists in making sure an identity has the right access to the right resource.
Encryption
To protect data, we need to protect it in any state the data resides:
· Data in transit — all cloud services (from object storage, file storage, and databases) support encryption in transit using TLS protocol. Unlike the traditional data center where encryption in transit was either not supported or required an additional effort from our side, in the cloud, services support encryption in transit by default, and in many cases, we have no option to disable this feature.
· Data at rest — all cloud storage services (from object storage, file storage, and databases) support encryption at rest using the AES256 algorithm.
In the traditional data center, encryption key management and key rotation were challenging.
Today, most cloud providers allow us to choose between encryption at rest using encryption keys generated and managed by the cloud provider, or using encryption keys that we generate and control (to minimize the risk of rough cloud provider admin having access to our data).
Examples of services for storing encryption keys and sensitive data:
o AWS KMS — controls the entire lifecycle of cryptographic keys.
o AWS Secrets Manager — controls the entire lifecycle of secrets, credentials, API keys, etc.
o Azure Key Vault — controls the entire lifecycle of cryptographic keys, secrets, credentials, API keys, etc.
· Data in use — even if we encrypt the data while in transit and while at rest, at some point, we need to have the data accessible for reading or update, while in the memory of a server in the cloud. The common name for this technology is “confidential computing”, which in most cases relies upon hardware capabilities to encrypt data and make sure data in memory is kept confidential.
Examples of solutions that provide confidential computing capabilities:
o AWS Nitro Enclaves — isolates data stored in the memory of EC2 instances.
o Azure Confidential Computing — isolates data stored in the memory of virtual machines and Azure Kubernetes Service nodes.
Auditing and threat detection
The final action we need to take protecting data is to audit who accessed our data and detect anomalous behavior with actions performed on our data.
Although it is considered a detective control, it is still an important phase in data control.
Examples of services that perform audit trails:
· AWS CloudTrail — record all API actions done on AWS services.
· Azure Monitor — record all operations done on Azure resources.
Now that we record all actions, we need a solution to review the logs and notify us about anomalous behavior that requires our attention.
Examples of threat detection services:
· Amazon GuardDuty — detect anomalies from (among other) CloudTrail logs.
· Microsoft Defender for Cloud — detect anomalies in actions conducted against services such as Azure SQL and Azure storage.
Summary
In this blog post, I have reviewed the necessary controls for protecting data stored in the cloud.
It is essential to understand that to get effective protection for data stored in the cloud, we must configure strong controls of both encryption at rest (preferred with customer-managed encryption keys), combined with entitlement process (which enforces the least privilege) — we cannot rely on single security control and pray that no unauthorized person will ever access our data.
About the Author
Eyal Estrin is a cloud and information security architect, the owner of the blog Security & Cloud 24/7 and the author of the book Cloud Security Handbook, with more than 20 years in the IT industry.
You can connect with him on Twitter and LinkedIn.