Most, if not all, organizations have some level of cloud usage. The level of this usage may vary from just taking advantage of cloud-based webmail services (like Gmail or O365) to having core business data storage and applications located on cloud infrastructure.
Regardless of the scope of an organization’s cloud deployment, data security is a critical issue in the cloud. Unlike on-premises deployments, where the organization controls the hardware and has visibility into all network traffic to it, cloud resources are hosted on infrastructure owned and operated by a cloud service provider (CSP) and can be directly accessed via the Internet, meaning that traffic does not flow through an organization’s perimeter-based defenses and scanning solutions.
This problem is exacerbated by the fact that many organizations set their cloud deployments to public, making them accessible to anyone who knows where to look, and store data unencrypted in the cloud. Google Cloud’s announcement of upcoming new features, External Key Manager and Key Access Justification, are designed to help solve this problem for organizations using Google Cloud. However, many organizations use multi-cloud deployments from multiple vendors, meaning that they need data security solutions for the cloud as a whole, not just for a single CSP.
The Challenge of Data Security in the Cloud
While many organizations have transitioned over to using cloud computing, this doesn’t mean that they are comfortable or secure when using it. A large number of recent data breaches have been caused by improperly configuring the security settings provided by an organization’s CSP.
One of the most common mistakes in cloud computing is improperly setting the privacy settings on a cloud deployment. Many CSPs have a simple security model, where a cloud-based resource can be set to either private or public. A cloud-based asset with private security settings requires users to be explicitly invited to view and edit content. While this is the right choice for most situations (and is the default setting), many users change it due to the inconvenience of manually managing access.
A cloud-based resource with security settings set to public is accessible to anyone who can discover the URL, and tools exist explicitly for searching for cloud deployments that are set to “public”. Since cloud resources are accessed over the open Internet, an organization may not even be aware that its cloud-based data has been accessed by an attacker. Many unsecured cloud deployments are only secured once they are discovered by ethical hackers and reported to the company that owns them.
Data Security in Google Cloud
The fact that a cloud resource is set to public in the cloud isn’t the end of the world if it is otherwise secured properly. If cloud-based resources are encrypted with a key that is not accessible to an attacker, then taking advantage of the poorly configured security settings on the cloud only gives the attacker access to encrypted data that they are unable to decrypt and read. However, since only 40% of data stored in the cloud is properly encrypted, the majority of improperly-secured cloud deployments leak sensitive data.
Google is trying to address this problem in their cloud offering and has recently released additional features to help accomplish this. While Google Cloud already encrypts user data stored there by default, the new External Key Manager and Key Access Justifications are designed to bring this security to the next level.
One of the main challenges with data encryption in the cloud is balancing security and accessibility. In order to access the data stored in the cloud, a user needs access to the corresponding decryption key, making it logical to store this data in the cloud as well to make the cloud-based resources accessible from anywhere. However, this violates the security of the cloud deployment since the attacker can also gain access to the secret keys and decrypt the data.
Google Cloud’s External Key Manager is designed to help with this problem by enabling users to store encryption keys on a third-party system where they can be requested as needed. Key Access Justification forces the user to include a justification for each access request for the encryption keys, allowing the key manager to more closely control (and even automate) the process of granting access.
Securing the Cloud
The deployment of Google Cloud’s External Key Manager and Key Access Justification help to secure data in Google Cloud. By separating the encrypted data and encryption keys onto separate systems and requiring justification for accessing the encryption keys, the new functionality makes it more difficult for an attacker to successfully access and decrypt sensitive data stored in the cloud.
Unfortunately, this new functionality is limited to Google Cloud, and many organizations currently have multi-cloud deployment strategies using products from several different CSPs. As a result, it can be difficult to properly secure sensitive data stored on the cloud and to enforce consistent security policies across cloud deployments.
This is why using a standalone, cloud-native data security solution may be a good choice for many organizations with cloud deployments. Rather than attempting to manage access to cloud resources at the cloud level, an organization can achieve consistent security across their on-premises and cloud infrastructure using a standardized solution. This enables organizations to automatically identify repositories of sensitive data, determine if they contain any vulnerabilities, and manage access to them, ensuring that their data is secure, regardless of where it is stored.