How to protect your data in the cloud - from choosing a provider to examining compliance with regulations

Cloud computing is the provision of computing services such as servers, storage, databases, networks, software, analytics and intelligence over the Internet. Cloud computing offers many advantages, such as scalability, flexibility, cost-effectiveness and innovation. However, cloud computing also poses significant challenges to information security, as data and applications are transferred from the traditional scope of the organization to the cloud, where they may be exposed to various threats and vulnerabilities.

According to a [McAfee] report, cloud adoption will grow by 50% in 2023, driven by the COVID-19 pandemic and the shift to remote work. However, the report also found that 79% of the organizations experienced at least one cloud-related security incident in the past year, such as data breaches, stolen credentials, malware infections, denial-of-service attacks or insider threats.
The report also outlined the top cloud security challenges facing organizations, such as lack of visibility, misconfiguration, unauthorized access, compliance issues and data loss.

In this article, we'll discuss some of the best practices and recommendations for protecting your data in the cloud, based on the latest standards and guidelines from industry and academia. We will deal with the following topics:

• How to choose a secure cloud service provider
• How to implement data encryption and key management
• How to enforce access control and identity management
• How to monitor and audit cloud activities and incidents
• How to comply with legal and regulatory requirements

How to choose a cloud service provider:

The first step in ensuring the security of your data in the cloud is choosing a reputable and reliable cloud service provider (csp). A CSP is a company that offers cloud computing services to customers, such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS). CSP is responsible for providing the physical and logical security of the cloud infrastructure, such as servers, networks, storage and hypervisor. However, the CSP is not responsible for the security of the data and applications that the customer uploads or runs in the cloud. This is known as the shared responsibility model, where the CSP and customer share responsibility for securing the cloud environment.

To choose a CSP that emphasizes data security, you should consider the following factors:

• The CSP's security policies and procedures, such as how they protect their infrastructure, how they handle incidents, how they respond to enforcement requests from law enforcement or third parties, and how they notify customers of any breaches or changes.
• The CSP's security certifications and certifications, such as ISO 27001, SOC 2, PCI DSS, HIPAA, GDPR and others. These are standards and regulations detailing the requirements and recommended methods for managing information security in various fields and industries. A CSP that has obtained these certifications and authorizations demonstrates that they have implemented the necessary controls and measures to ensure the security of their customers' services and data.
• The security features and options offered by the CSP, such as encryption, key management, access control, identity management, logging, auditing, backup, recovery, and more. These are tools and mechanisms that allow the customer to improve the security of his data and applications in the cloud, according to his specific needs and preferences.
• The security agreements and contracts between the CSP and the customer, such as the Service Level Agreement (SLA), the Terms of Service (TOS), the Privacy Policy and the Data Processing Agreement (DPA). These are documents that define the roles and responsibilities of the CSP and the customer, the scope and quality of the services, the rights and obligations of both parties and the remedies and obligations in case of disputes or violations.

Before choosing a CSP, you should perform a thorough assessment and evaluation of the above factors, and compare different CSPs based on their security performance and reputation. You should also consult with your legal and compliance teams to ensure that the CSP complies with your regulations and co.

How to implement data encryption and key management

The second step in ensuring the security of your data in the cloud is implementing data encryption and key management. Data encryption is the process of turning data into an unreadable form, using a secret key and an algorithm. Data encryption prevents unauthorized access, modification or disclosure of data, even if the data is intercepted or stolen. Key management is the process of creating, storing, distributing, rotating, revoking and destroying the secret keys used to encrypt data. Key management ensures the availability, integrity and confidentiality of keys, and prevents key breach or loss.

• There are two types of data encryption: Encryption at rest and encryption in transit. Encryption at rest is the encryption of data when it is stored on a device or device, such as a disk, tape or cloud storage service. Encryption in transit is the encryption of data as it is transmitted over a network or channel, such as the Internet, a VPN, or a cloud service. Both types of encryption are essential to protecting your data in the cloud, as the data may be exposed to various threats and vulnerabilities during storage or transmission.
  
  
• There are also two types of key management: Server-side encryption and client-side encryption. Server-side encryption is the encryption of data by the CSP, using keys generated and managed by the CSP. Server-side encryption is convenient and easy to use, since the client does not have to worry about data encryption and decryption, or key management. However, server-side encryption also means that the client must trust the CSP with the security and privacy of its data and keys, and that the CSP may have access to the data and keys, or may be forced to disclose them to law enforcement. or third parties. Client-side encryption is the encryption of data by the client, using keys that are generated and managed by the client. Client-side encryption is more secure and private, because the client has full control over their data and keys, and the CSP has no access to, or can't disclose, the data or keys to anyone. However, client-side encryption also means that the client has to take care of data encryption and decryption, and key management, which can be complex and challenging.

To implement data encryption and key management, you should consider the following factors:

• The sensitivity and value of your data, such as personal data, financial data, health data, intellectual property, trade secrets and others. The more sensitive and valuable your data, the more encryption and key management you need to apply, and the more you prefer client-side encryption over server-side encryption.
  
  
• The type and level of encryption and key management offered by the CSP, such as symmetric encryption, asymmetric encryption, hybrid encryption, hashing, digital signatures, key length, key rotation, key backup, key recovery, and more. These are different methods and techniques that affect the security and performance of encryption and key management. You should choose the encryption and key management that best meets your security requirements and expectations, and that are compatible with your applications and devices.
  
  
• The cost and complexity of encryption and key management, such as the hardware, software, manpower and time required to implement and maintain encryption and key management. Encryption and key management may entail additional and complex costs for cloud operations, such as increased storage space, reduced processing speed, increased bandwidth, increased latency, increased human errors, and more. It is important to balance the pros and cons of encryption and key management, and optimize your encryption and key management processes.

How to enforce access control and identity management

The third step in ensuring data security in the cloud is to enforce access control and identity management. Access control is the process of granting or denying access to data and resources, based on the identity and attributes of users and devices. Identity management is the process of authenticating and managing the identity and attributes of users and devices, such as usernames, passwords, roles, permissions, credentials, and others. Access control and identity management ensure that only authorized and authenticated users and devices can access your data and resources in the cloud, and that unauthorized and unauthenticated users and devices are blocked or restricted.

There are three types of access control: Discretionary Access Control (DAC), Mandatory Access Control (MAC) and Role-Based Access Control (RBAC). DAC is access control where the owner of the data or resource decides who can access it, and can delegate or revoke access rights to others. MAC is the access control where access rights are determined by a central authority or policy, and cannot be changed by the owner or user. RBAC is access control where access rights are based on users' roles and responsibilities, and assigned by an administrator or system

How to monitor and audit cloud activities and incidents in the cloud:

Cloud monitoring and auditing are processes that include collecting, analyzing, and reporting on the performance, availability, security, and compliance of cloud resources and services. Cloud monitoring and auditing can help organizations:

• Detection and response to information security incidents and breaches.
• Identifying and mitigating vulnerabilities and threats in the cloud
• Ensuring compliance with information security standards and regulations
• Optimizing utilization and efficiency of cloud resources
• Improving cloud service quality and customer satisfaction

There are various methods and tools that can be used to monitor and audit cloud activities and events. Some of the recommended methods and steps include:

• Understanding the attack surface of a cloud environment: Organizations need to identify and perform analysis of all the cloud assets and services they use, and map the interdependencies and relationships between them. Organizations should also monitor the configuration and status of cloud assets and services, and identify any changes or anomalies that could indicate a security issue².
• Set up strong access controls and encryption: Organizations need to implement strong authentication and authorization mechanisms to control who can access cloud resources and services, and what actions they can perform. Organizations also need to encrypt data in transit and at rest, and manage encryption keys securely³.
• Establish external sharing and collaboration standards: Organizations should define and enforce policies and rules for sharing and collaborating with external parties, such as customers, partners or suppliers. Organizations should also monitor and control the activities and permissions of external users, and revoke access when necessary¹.
• Updates of cloud systems and applications: Organizations need to update their cloud systems and applications with the latest security updates. Organizations should also test the compatibility and functionality of updates before deploying them to production environments.
• Use of cloud-native or third-party cloud monitoring and auditing tools: Organizations can leverage the tools and services built into or offered by cloud service providers, such as AWS CloudTrail, Azure Monitor, or Google Cloud Operations, to monitor and audit cloud activities and incidents. Alternatively, organizations can use third-party tools and solutions, such as BitSight, Exabeam or DevOps, to improve their cloud monitoring and auditing capabilities.

How to comply with legal and regulatory requirements in a cloud environment:

Legal and regulatory requirements in a cloud environment can vary by industry and geography. Regulatory compliance refers to the discipline and process of ensuring that a company follows the laws enforced by the governing bodies in their geography or the rules required by voluntarily adopted industry standards

For example, if you handle healthcare data, you may need to comply with the Health Insurance Portability and Accountability Act (HIPAA) 1. If you handle credit card information, you may need to comply with the Payment Card Industry Information Security Standard (PCI DSS)

Cloud providers strive to ensure that their platforms and services comply with the relevant regulations. However, organizations should also confirm that their applications, the infrastructure on which these applications depend, and the services provided by third parties are also certified as compliant.

To maintain compliance standards in the cloud, it is important to classify the information assets, include in the contract the right to audit the cloud environment, an exit strategy, a business continuity plan, procedures and controls for managing IT services and re-planning operations. . A model for ensuring the right team structure and capabilities to manage cloud services

If you need more detailed information about Azure compliance offerings, you can visit the Microsoft Trust Center 1. They have a wealth of information on how to implement a compliance strategy.

The author of the article: Idan Zabri, VP of expert services and information security
​