When it comes to sensitive data, the ‘wild west’ approach that characterized the early 2000s is gone. Dozens of data protection frameworks have emerged amid increased regulation and concerns over privacy, security and identity theft. These frameworks create obligations for organizations, and violations can result in legal liability, fines and higher insurance premiums. More than ever, compliance is a priority for engineering, security and legal departments.
When it comes to the cloud, things get complicated. Compliance frameworks demand tight control and visibility over sensitive data, which can be at odds with cloud adoption and data democratization. Today’s blog post outlines several strategies to help bring cloud data under the compliance umbrella through culture, technology and security practices.
Staying Compliant Is No Easy Task
Organizations that handle sensitive data need to comply with multiple complex frameworks that govern the way they handle, process and secure this data. We’ve collected some examples.
Framework | Applications | Data Protection Requirements |
GDPR | Organizations processing personal data of EU residents |
|
HIPAA | Healthcare providers, health plans and clearinghouses; organizations that handle or process protected health Information (PHI) |
|
SOC 2 | Service organizations (including SaaS companies) that store, process, or transmit customer data |
|
PCI DSS | Organizations that store, process, or transmit cardholder data |
|
A midsize or larger organization will unavoidably need to comply with several frameworks — either due to legislation (GDPR) or industry standards (SOC 2). For organizations that operate in highly regulated industries, the compliance overhead can easily be multiplied.
While on-prem and cloud compliance requirements have become more stringent, the cloud has made data protection more difficult to manage.
Digital data collection, decoupled storage and compute, and the trend of democratizing access to data combine to encourage ‘data hoarding’ behaviors. Organizations want to collect and indefinitely retain any data they can get their hands on, and it’s easier than ever to spin up new data services and move data between environments. This creates an ongoing operational challenge to understand which sensitive data the organization stores, where (and how) it’s stored, and who has access to it at any given moment.
In the next sections, we’ll outline the key challenges in cloud data compliance and suggest ways to overcome them.
Enforcing Accountability in Sprawling Cloud Environments
Responsibility over cloud compliance is shared by multiple stakeholders. In most enterprises, you'll find a clear delineation:
- Compliance departments set and oversee the policies, alongside legal and risk.
- Cloud engineering and security teams are responsible for implementing the tools and technologies needed to comply with said policies.
- Data owners (business or engineering units) need to ensure their requirements for collecting and retaining data are realistic business needs.
- Data security and engineering teams need to modify or build data pipelines to avoid violations.
- HR is responsible for educating new employees on data protection policies.
But even though responsibilities are typically well-defined, they’re difficult, in practice, to enforce. Cloud data doesn’t typically live in a single monolithic data warehouse but rather is spread across a variety of purpose-oriented datastores — object storage, virtual machines and managed services. Much of this infrastructure is managed by third parties and can’t be monitored by agent-based solutions. Access to data has also been democratized, which means it’s rarely managed exclusively by a centralized IT team. All these factors create ample opportunities for noncompliance and make effective enforcement and monitoring nearly impossible.
Organizations should build robust, technology-enabled processes to increase visibility over cloud data. Security and compliance teams need to have a single place where they can monitor all sensitive data assets, identify risk exposure, and map required controls (like encryption or anonymization) to the relevant framework. Data flows between environments and storage locations should be clearly understood to identify all compliance-related assets and the relevant data owners, and to swiftly remediate violations.
Addressing the Human Factor: Education and Automation
Compliance efforts often get sidelined by cultural issues and misaligned incentives. The people working with data — business analysts, executives or engineers — want to use data to increase productivity or unlock new revenue opportunities. Cloud compliance isn’t part of their job description.
There are few rewards for reporting a policy violation — in fact, it might entail headaches via audits, investigations, debriefs and finger-pointing. Employees (who aren’t security professionals) might brush aside noncompliant practices, justified by the need to get the job done and not be held back by red tape.
Organizations need to continuously engage and educate stakeholders to encourage a culture of transparency. This can be achieved through regular training sessions, workshops and open communication channels, including anonymous ones. Employees need to understand that penalties for reporting a violation don’t exist, even when resulting in deadlines being pushed.
At the same time, CISOs should explore automation that removes dependency on the human factor. Security teams should be able to detect and classify sensitive data in any cloud datastore that’s managed by the business — including shadow data assets, which tend to go under the radar. While this won’t remove the need for education and oversight, it can simplify the ability to identify violations and delegate tasks to data owners, while minimizing reliance on the good will of employees.
Confronting the Complexity of Cloud Environments
The proliferation of cloud services, infrastructures and platforms make it difficult to maintain visibility and control over sensitive data. It’s common for modern enterprises to rely on multiple public cloud providers for different analytical use cases. Even a relatively small company might run its marketing analytics in Google BigQuery, its customer-facing dashboards in Snowflake, and use Amazon’s S3 and Athena to analyze system logs. Data regularly flows between services, including sensitive data that needs to comply with residency, access control or other compliance requirements.
And this is still a simple scenario. Things get considerably messy when you add microservices, containers and ephemeral databases spun up on virtual machines. It’s easy for noncompliant data or misconfigurations to ‘hide’ in this intricate web of storage, analytics and data processing tools.
To achieve continuous data compliance, organizations need cybersecurity solutions that are focused on data. Data loss prevention solutions need to adapt to the realities of the cloud to provide agentless, context-aware and timely protection of sensitive data assets — while cutting through the inherent complexity and data sprawl that comes with the use of cloud services.
Preventing Compliance Violations and Protecting Sensitive Data with DSPM and DDR
Data security posture management (DSPM), along with data detection and response (DDR) solutions, play a key role in protecting sensitive data, ensuring compliance requirements are continuously met, and preventing data breach incidents. In this section, we’ll explain how you can use these tools as part of your compliance strategy.
Classify Your Data
Use DSPM to automate data discovery and classification to gain a comprehensive, up-to-date understanding of your sensitive data landscape.
- Identify any cloud database or blob storage location that contains sensitive data.
- Track data as it moves between storage, processing and analytics services.
- Inventory all sensitive data assets, including structured and unstructured data.
- Map data assets to relevant compliance standards or controls and determine which data assets fall under regulations — e.g., GDPR, HIPAA or PCI DSS).
- Identify the controls that apply to each data asset, such as encryption, access control or data retention policies. For example, GDPR requires you to identify and protect personally identifiable information (PII); PCI DSS sets specific requirements for payment cards.
Prevent Misconfigurations That Can Affect Compliance
Misconfigurations are a common cause of security vulnerabilities and compliance breaches in cloud environments. Security teams, however, are already overwhelmed. Chasing every misconfiguration across hundreds of cloud datastores is unrealistic. DSPM allows you to narrow your focus to sensitive data that can pose a cloud compliance risk.
Least Privilege
See who has access to compliance-related data and remove unneeded permissions. You want to implement strong access control policies and ensure that access to sensitive data is granted on a need-to-know basis, following the principle of least privilege.
Encryption
Find unencrypted data. Various frameworks, including the CCPA, require organizations to encrypt sensitive data in transit and at rest. DSPM tools can highlight unencrypted datastores.
Monitor for Configuration Changes
Use real-time data detection (DDR) to get alerts when sensitive data is exposed through a change in permission, encryption or replication settings.
Respond to Compliance Incidents on Time
Compliance isn't just about passing an audit. You want to maintain a proactive approach and address issues when they arise — longer periods of noncompliance (e.g., between audits) increase risks and potential liabilities. Remediating violations and incidents in real time minimizes the length of noncompliant periods, reduces the potential for data breaches, preserves customer trust, and helps avoid hefty fines. Data detection and response capabilities allow you to tackle the most important policy violations promptly and effectively.
Monitor Sensitive Data in Real Time
DDR allows organizations to detect unauthorized access, changes to access controls, or data exposure. For example, data might be moved from a production environment within the EU to a dev environment outside of the EU — violating GDPR data residency requirements. Real-time monitoring enables security teams to respond quickly and mitigate the risk before it turns into a major incident.
Streamline Incident Response
DDR solutions allow organizations to prioritize incidents based on their risk level and automatically generate alerts for high-priority events. This ensures that security teams can focus on the most critical incidents and mitigate them in a timely manner.
Automate remediation flows by integrating your DDR alerts into SIEM and SOAR platforms.
Get in Touch for a Cloud Risk Assessment
Prisma Cloud helps organizations in highly regulated industries to protect sensitive data across complex cloud environments. Our data security solution combines DDR and DSPM capabilities to provide end-to-end risk analysis and near real-time protection.
Get in touch today to set up a risk-free proof of concept in your environment. You’ll be able to see all your sensitive data and related policies within minutes, without any risk to performance or production environments.