By Ameesh Divatia, CEO and co-founder, Baffle, Shortlistee of Best Cloud Data Management Solution Award for the Cloud Computing Awards in 2021

We have seen a mass migration to the cloud over the past two years that few could have predicted. But are these organizations taking the necessary actions to protect their data? In many respects, cloud data security differs dramatically from on-premise security. Having the right strategies can prevent or drastically minimize the impact of a breach while helping to maintain data’s business value. These four strategies can position organizations to do just that.

Adopt a DataSecOps approach to cloud security

Playing offense is easier, more time-efficient, and less costly than playing defense. But preventing or minimizing the effects of a data breach requires ground-level planning that many organizations fail to implement. A DataSecOps approach can help organizations build security protections by building cloud infrastructures.

The idea is that security teams collaborate early and often with data scientists to ensure that security is a top consideration with every decision. This way, data security is woven into the DNA of a cloud environment, thus drastically reducing the risk of a breach and protecting data. It is of no use to a criminal should a breach occur. In a security-first cloud environment, organizations can store, analyze and share data confidently, instead of reacting to a potential problem and adding security measures once a problem emerges.

It is important to note that a DataSecOps approach requires a great deal of deliberation and consideration. As organizations have rushed to the cloud in response to a remote work environment, many have prioritized speed over security and have suffered the consequences. The benefits of taking the time to implement a DataSecOps approach will outweigh the short-term benefits of quickly migrating to the cloud.

Implement a data security mesh

Working in the cloud requires moving away from a traditional data security mindset. Securing data in on-premise environments was relatively straightforward: Protect the perimeter and prevent access. There wasn’t as much of a need for data to leave that environment, and most code was homegrown. But the onset of cloud migration shifted many industries toward a distributed environment without a perimeter. Further complicating data security is that each device that accesses the cloud is only as secure as the network from where an employee is accessing it—whether from home or a nearby coffee shop.

In the past year, we have seen greater reliance on implementing a data security mesh, which focuses on the perimeter of every device in use through several protection methods. According to Gartner, a data security mesh “allows for the security perimeter to be defined around the identity of a person or thing. It enables a more modular, responsive security approach by centralizing policy orchestration and distributing policy enforcement.”

An essential step toward implementing a data security mesh is to thoroughly audit your organization’s existing technology to determine if it is appropriate for cloud data security. For example, on-premise security methods focus heavily on data-at-rest. Still, as we know, cloud data is being stored and processed in infrastructures that the data owner does not own and requires different processes to ensure data is protected no matter how it is being used.

In my experience, many organizations hesitate to move on from security technology that they have invested heavily in. The cost concern is understandable, but past investments pale compared to a cloud data breach’s financial and reputational cost.

Employ data analytics pipeline protection methods

Data analytics is one of the most important benefits of the cloud, offering unprecedented scale and utilizing insights for market differentiation. It stands to reason that organizations should ensure data is protected throughout its lifecycle through the pipeline—and doing so requires a wide range of situational techniques.

As data is created, it is unstructured and needs to be categorized to determine how it should be protected. The first step is to determine if that data has sensitive information, like a Social Security number (SSN), home address, or credit card number. If sensitive information is discovered, but that data will not be analyzed, it will be masked. This process completely hides the sensitive data with characters in a different format.

Now, let’s say the same piece of data with sensitive data needs to be analyzed. It should be tokenized for midstream use in the pipeline. Using the SSN as an example, its nine digits would be replaced by nine other numbers, leaving the appearance of an SSN but of no use to an unauthorized person accessing it. At the same time, applications can analyze the data set without putting sensitive data in the clear.

Downstream, encryption is applied to convert data into unreadable ciphertext that a privileged few can unencrypt with a key. This approach, known as Privacy-Preserving Analytics, can process data while it remains unreadable and unusable to those without access. By implementing the appropriate protection methods at the right time, cloud data analytics can occur without compromising that data’s value.

Understand the details of shared responsibility

A failure to fully understand the shared responsibility model is one of the most overlooked aspects of cloud data security. Many organizations have been under the inaccurate impression that their cloud provider protects data. However, most cloud providers only shoulder the responsibility of protecting the cloud, not the data inside. To put it another way: The home security company is responsible for keeping criminals out of the house, but it is the homeowner’s responsibility to hide or lock up valuables.

Before moving forward with a cloud provider, make sure to have deliberate discussions that outline who is responsible for what and take the necessary steps to ensure your organization has the protection methods in place. Further, it is entirely acceptable to ask a potential cloud service provider for their certifications related to industry or governmental regulations your organization must follow.

Many businesses cannot commence cloud projects without the appropriate data security practices, which can delay essential data analytics insight. For forward-looking organizations, cloud data security is not a “nice-to-have” proposition; it is critical for long-term success.