Ravi Ithal is cofounder and Chief Technology Officer at Normalyze, a data-first cloud security provider for the digital enterprise.
getty
Consolidation will dominate the mindshare of cybersecurity solution buyers during 2023. Larger organizations currently may use 50 or more security products. No wonder they struggle with the complexity of securing the enterprise (and coping with a shortage of more than 700,000 cybersecurity positions). Consolidation of related cybersecurity products into an integrated platform is now mainstream for security service edge (SSE) and becoming so for extended detection and response (XDR). I predict a similar consolidation will begin to occur this year as organizations seek a simpler and more effective way to secure cloud data.
What Makes Securing Cloud Data So Complex?
For many reasons, data is a priceless asset of modern organizations; as such, it is the prime target for attackers. Security leaders are beginning to systematically focus on data with an emerging process called data security posture management (DSPM), but find the complexity of traditional solutions challenges the basic objectives of knowing where sensitive data exists and keeping it safe from attackers.
Complexity goes hand-in-hand with the nature of an organization's use of cloud technology. Tool complexity often plagues DevOps environments with agile processes—especially model-driven organizations that do frequent, extensive training on massive amounts of structured and unstructured data. In those scenarios, sensitive data can be just about anywhere in the public cloud.
“Public cloud” usually means more than one provider. In fact, based on my experience in the industry and research my company has sponsored and conducted, most organizations store sensitive data in more than one infrastructure-as-a-service/platform-as-a-service (IaaS/PaaS) platform. Most organizations also subscribe to multiple providers of software-as-a-service (SaaS), which might be hosted by the SaaS provider or rebranded hosting done unseen by a major cloud provider, like AWS does for Apple’s iCloud. Add more services and complexity skyrockets, such as function-as-a-service and data lake providers. Hybrid environments often connect data sources used by business partners. And there’s sensitive data potentially residing on servers and endpoints located on-premises at an organization or on mobile devices used by employees and contractors. Complexity is almost an understatement!
Integrated Capabilities For Securing Cloud Data
With consolidation at the top of mind, it’s useful to consider fundamental capabilities for securing sensitive data in modern environments that should be integrated into one platform. Clearly, platform options should snap into your environment with native, agentless deployment in any of the major clouds (AWS, Azure, GCP). Integration of existing tools’ data is a must via 100% API access. Primary and fully integrated capabilities prescribed for effective DSPM are:
1. Data Discovery: This is the starting point: figuring out exactly where sensitive data resides in your public cloud stores such as PaaS and block storage. Discovery must include structured and unstructured data formats.
2. Data Classification: Understanding what the data consist of is necessary to identify whether they are sensitive and require specific security controls such as encryption.
3. Access Governance: Access is about who can use specific types of data. For example, access to production data—especially if it’s sensitive—must not be allowed to DevOps unless controls ensure that only authorized users get that right. A governance process in DSPM should automatically address these requirements and monitor for excessive privileges.
4. Risk Management: DSPM is helpful for finding potential points of attacker access that could result in a breach. Attack path detection should include configuration vulnerabilities that might expose cloud-resident sensitive data and potentially vulnerable users who have access rights to the same. Risk management data are vital for swift remediation.
5. Compliance: DSPM automatically detects and classifies regulation-relevant data.
Evaluating Legacy Tools For Securing Cloud Data
Evaluation of your organization’s current tools for cloud data security should weigh them on an X/Y axis: Which of the five DSPM capabilities described above are executable in which of five typical data storage locations: SaaS apps, PaaS databases, IaaS databases, IaaS block storage and IaaS file storage? Coverage may be significant, partial or none. Siloed functionality doesn’t work in a consolidated platform approach.
Typical standalone tools may include a cloud access security broker (CASB), SaaS security posture management (SSPM), a configuration management database (CMDB), cloud infrastructure entitlement management (CIEM), cloud security posture management (CSPM) and PrivacyOps.
None of these tools provide all the functionality of DSPM in all cloud storage domains. And while DSPM provides an integration of all of these functionalities, it may make sense to continue using a standalone tool if your organization has already paid for valuable data, such as populating a CMDB with every asset in a Fortune 100 company.
DSPM is not a perfect approach for every organization. DSPM could be overkill if the company has the following.
• Less than a few dozen developers who carry tribal knowledge of what data is stored where.
• A young or small cloud estate.
• An enforced ban on storing sensitive data in the public cloud.
• Uses SaaS and not IaaS, because SasS providers should provide good security controls, while with IaaS, you’re more on your own.
• Doesn’t use the public cloud at all.
Your evaluation should confirm if DSPM is the right fit for your environment.
Moving Toward The Better Security Posture Of Cloud Data
For many security and compliance professionals, what I’ve said about consolidation is not news. Analysts frequently say users want to simplify enterprise security and compliance by consolidating blocks of related tools into one integrated platform. Many of you have already done this once and are keen to discover a similar path for protecting cloud-resident sensitive data. Provided your organization fits the right profile and need, DSPM fits the bill and will increasingly be the preferred approach for securing and enabling compliance for your No. 1 asset, which is your data.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
