Data-Aware Security: How to Take a 360 View of Cloud Security

Not long ago, security concerns were the number one reason IT executives hesitated to move workloads to the cloud. Much has changed since then. Security is now considered one of the great strengths of both cloud infrastructure and software-as-a-service (SaaS) platforms. But that doesn’t mean total security is assured. The most hardened platforms in the world are only as effective as the people who use them.

All cloud services operate under a shared responsibility model. Platform, software and service providers pledge to maintain security at the physical infrastructure and network level, but none will shoulder the burden of protecting customer workloads and data.

“The shared responsibility model is fundamental to understanding how security in the cloud works,” says Thyaga Vasudevan, Vice President of Product Management, Skyhigh Security.

In the case of cloud infrastructure, users are responsible for application security, identity and access management, client and endpoint protection, data classification and user behavior. The same holds true in a SaaS environment, although software and service providers assume a somewhat greater role in application and access controls.

Yet, these distinctions seem not well understood, especially in light of Gartner’s prediction that “through 2025, 99% of cloud security failures will be the customer’s fault.” Indeed, some of the most widely publicized data exposure incidents in recent years have been the result of configuration errors that left sensitive data out in the open.

Big-picture view with Security Service Edge

To get control over an increasingly diverse environment, customers need to take a holistic, data-aware approach, that discards traditional device and perimeter protections in favor of policies, access controls and data protection. That requires a disciplined strategy for classifying and tagging data, after which protections such as encryption, multifactor authentication, and identity and access management controls can be applied that are appropriate to data sensitivity levels.

Device-level controls are ineffective in an environment in which applications and data are distributed across multiple internal and external services. COVID-19-related lockdowns have made the situation even more challenging as security teams lost the protection of the firewall.

But those obstacles have also given rise to new innovations like Security Service Edge. It redefines controls at the user rather than the device level. This enables IT organizations to “extend the same set of policies on endpoints all the way to the cloud such that they work consistently for all data, whether on AWS S3 storage or in a Microsoft 365 folder,” Vasudevan says.

A SSE portfolio encompassing Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), Cloud Data Loss Prevention (DLP), Remote Browser Isolation technology, Cloud Firewall and Cloud Native Application Protection Platform (CNAPP) simplifies the security landscape by enabling security administrators to set policies that apply across the full range of on-premises and cloud services. This is not only more effective than traditional perimeter controls but also delivers a better user experience, since administrators can go beyond data access and focus on data use—so they can collaborate from any device and from anywhere without sacrificing their security.

Gaining access to enterprise resources used to require remote users to tolerate the performance penalties of logging on to a virtual private network. “Now that’s not needed,” Vasudevan says. “I can use single sign-on to access my applications portal and get to whatever I need under a zero-trust policy.”

Comprehensive cloud security is a shared responsibility. A holistic approach to data protection ensures that customers are holding up their side of the bargain.

Click here to learn more about securing your clouds.