Data Protection in the Cloud: 3 Best Practices
February 2023 by Rick Vanover, senior director of product strategy at Veeam
The “Global DataSphere” is exploding in size. IDC predicts that by 2026, the amount of data in the world will have doubled again. While most enterprises have digitised their operations, they continue to add more strategic workloads and create more and more data. So, as the amount of data enterprises have to deal with grows exponentially, moving to the cloud based on an elaborated strategy offers significant benefits like scalability, flexibility and cost-effective storage.
But can this go on forever? Gartner expects total worldwide end-user spending on public cloud services will reach a record $592 billion this year, a 21 per cent increase from 2022. This rapid level of growth and migration raises some concerns at an enterprise level, with fast “lift and shift” migrations meaning best-practices for modern data protection aren’t followed. The Cloud security alliance (CSA) reported that 96% of companies say they have insufficient security for sensitive cloud data - so across the board we have a long way to go on this journey. Here are three best practices for enterprises to protect their data in the cloud.
1. Know your data
The first step to solving any problem is knowing what you’re dealing with. Before you can protect anything, you need to know who’s storing what and where. Is everyone in the business using the same accounts? To make sure this is done right, IT teams often need to play detective or go on a journey of discovery across the business. To find these threads, it is often necessary to look through finances and collect invoices for cloud costs across the organisation.
When brought together, the amount of data kept by most enterprises, whether it was migrated over from on-premises or originally stored in the cloud, is vast. Humans are natural hoarders, and the digital world is no exception. While the “virtual garage” of the cloud can store endless boxes of data, locating everything is only half the battle. In order to know what data is mission-critical and sensitive, you’ll need to classify it. Automated data classification engines can help you sort through and organise - so you’re not blindly trying to protect everything to the nth degree. Once you know exactly what you have stored on the cloud (and where) only then can you start looking at how this data is secured.
As organisations face a fairly low barrier of entry to move data to the cloud, teams may not have prioritised the security and network processes that are required - if the migration happened too fast this can easily be the case. Similarly, because the cloud is a completely different environment to secure, things are often missed - there are lots of new service types that don’t always exist on-premises and many of these need to be protected and recovered in the case of attacks or outages. Examples of these include code in cloud storage, applications that leverage other cloud services and APIs provided in the cloud.
2. Know your responsibilities
A key issue is enterprises often not realising exactly what they’re responsible for regarding security and data protection in the cloud. There is a big gap in awareness of the shared responsibility model on which cloud security is built on. This means they assume the provider is responsible for certain security measures when in reality it’s their job. While it does depend on the cloud provider, typically the provider is responsible for the security of the infrastructure and the physical facilities that host it. Securing applications, data and access to the environment, however, is the responsibility of the customer.
In practice, this means enterprises need to ensure they have backups of all critical and sensitive data stored in the cloud in case of breaches or outages. The best practice is to have multiple backups in different locations (e.g. one on-premises as well as a cloud copy) and have copies of data across different mediums, with at least one copy being kept offsite, offline and immutable - even better yet, all three.
The other core security responsibility that lies with the enterprise is controlling access and privileges. If every user of your cloud has access to God Mode, any breach is going to be devastating. Likewise, if you’re using a single account to do multiple different functions like protection and provisioning. The best practice is to ensure multiple accounts are used across the business, using access and identity management correctly across accounts and subscriptions so you can easily remove the failure domain in the case of a security breach. At a user level, ensure the principle of least privilege is being followed across the cloud environment so that people only have access to the resources and environments they need.
3. Keep it cost-effective
In all likelihood, putting the previous two principles into place will be a significant project for most enterprises. But the good news is the initial heavy lift to do so will not be required again on the same scale. However, to keep the cloud environment healthy and cost-effective long term, it’s important to have cloud data hygiene processes in place.
Ensure you have a proper data life cycle process. Without it, the good work done initially will become ineffective and expensive over time, with the business paying to store and protect the wrong data in the wrong ways. Data needs to be on the right storage platform in the cloud - and this will change during its lifecycle. For example, it might move from block resource to object storage to archive storage. The costs associated with these are variable, so make sure you’re not storing (or backing up) data in inefficient ways.
This is one small part of avoiding eventual “bill shock” for cloud computing and storage costs. Beyond simple data, costs are API costs, data egress (transfer) and more. I always recommend enterprises have an established “cloud economic model” that they follow to prevent costs from piling up and ensure spending matches expectations. To use a real-life analogy, if you leave a light on or forget to cancel a subscription you no longer use, your monthly bills will be higher than expected. If this happens across an enterprise cloud environment, the total tally can be eye-watering.
As enterprises’ (and the world’s) amount of stored data continues to grow over the next five years, the cloud is going to be a vital piece of the puzzle in managing this. Enterprises need to look beyond just storing and protecting their data and look at ways to utilise it and unlock value for their business and their customers. Doing this requires re-factoring for greater agility, but this will also mean the business is prepared for the ‘whatever’. Cloud computing is nothing if not dynamic, and will continue to evolve, with best practise bound to change. If enterprises become data-centric now, both on the cloud and on-premises, they’ll be ready for whatever the future throws their way.