Data Security Posture Management (DSPM): Find and Secure Cloud Data

As the world becomes more technologically advanced, digital transformation affects how we work, communicate, entertain ourselves, socialize, buy, trade information, and so much more. Organizations have had to transform and migrate both systems and data to the cloud, so that their developers and data scientists can innovate at the speed with which users expect new services. But as data proliferates across the cloud, so too does the risk of a breach of this data. Decoupling data growth from data risk requires data security posture management (DSPM).

Legacy on-premises data security solutions can’t keep up with the speed of change and the scope of data proliferation in the cloud. If innovative organizations want to keep their data secure, a new breed of cloud-native data security solutions such as DSPM must be considered as a fundamental part of a larger comprehensive cloud data security program.

With DSPM, organizations can now see and classify all of their cloud data, known and unknown; understand what data is not adhering to their data policies and therefore presents a risk to the organization; and quickly discern how to mitigate or remove the risk presented by that data. Understanding, analyzing, and managing your risk at that level, particularly risk to your organization’s most sensitive information, will result in a considerably stronger security posture and better compliance.

What Is Data Security Posture Management (DSPM)?

In July 2022, Gartner’s Market Guide for Data Loss Prevention mentioned “DSPM” for the first time. The analyst firm subsequently included it in their 2022 Hype Cycle for Data Security. In this article, we aim to unpack the fairly new idea of DSPM, how it protects data in hyper-complex cloud environments and differs from cloud security posture management (CSPM), and what characteristics organizations should look for in a DSPM solution.

Data security posture management, sometimes known as cloud data security posture management (CDSPM), is a framework for protecting data in the cloud that gives an organization’s security and data team members enhanced insight into and the ability to manage the security posture of their cloud data. At the core of DSPM is a data-centric policy enforcement engine that:

  1. Automatically and autonomously discovers, classifies, and catalogs all data in the cloud.
  2. Analyzes data against a set of security policies and best practices (e.g., encryption, retention, etc.) and continuously monitors and alerts on policy violations.
  3. Prioritizes security and compliance issues (e.g., overexposed data, underprotected data, misplaced data, etc.) and proposes remediation recommendations for implementation.
  4. Continuously monitors cloud environments for changes, immediately discovering new data assets or posture changes to existing assets.

Thus, a DSPM solution provides continuous visibility into data, assesses data risks, determines what data violates security policies and how, prioritizes data risks, and remediates them accordingly. As a result, a DSPM can help reduce your data attack surface and facilitate compliance with regulations such as GDPR and PCI.

Solving for the Complexity of Cloud

DSPM solutions address one of the core challenges of cloud: complexity.

There are a multitude of cloud storage technologies available to developers and data scientists today. Many are configured differently, creating multiple architectures that constantly change. Developers can spin up or copy entire datastores in seconds, at the push of a button. Data is copied here, there, and everywhere.

The security team must ensure that data security controls are tight but don’t infringe on the free, unfettered use of data by developers and data scientists. Those security controls must also travel with the data, so that data has the proper level of protections regardless of where it goes. The answer: a DSPM solution.

DSPM enacts a set of data-centric security policies such as encryption, activity logging, environment restrictions or retention period that travel with the data. So when data moves from a production environment, which is typically the most protected, to a test or dev environment, it has the proper protections.

The DSPM solution protects the data, regardless of what infrastructure it is on. It supplies data-centric, infrastructure agnostic policies that then get automatically verified wherever that data resides. For instance, say you have Social Security numbers publicly exposed in a database hosted on an Azure VM. The data security person doesn’t even need to be aware that the VM exists. The DSPM discovers the asset, finds the sensitive data in it, and determines there is a data security policy violation. It then prioritizes the violation based on several factors, including sensitivity and risk, and engages the relevant team members to help in remediation.

How Does DSPM Differ From CSPM?

It’s important to understand the differences between the data-centric and the infrastructure-centric solutions for security posture management. CSPM technologies are designed to protect cloud infrastructures. A CSPM detects misconfigurations, vulnerabilities, and compliance violations across an organization’s cloud infrastructure and issues alerts for security teams to manage and fix.

CSPM solutions are great at protecting cloud infrastructure, but they lack data context. CSPMs don’t understand the value of the data or risk to the data that resides inside data stores. So while a CSPM can detect a critical vulnerability in an S3 storage bucket, it will lack insight as to whether that bucket contains any sensitive data, the loss of which could affect the business. Meanwhile, a less severe vulnerability that the CSPM has deprioritized may affect data stores with sensitive financial data such as credit cards, for example.

A DSPM with its data-centric view is needed to properly assess data risk and provide recommendations on the best way to protect that data. A DSPM manages the security of the data, across clouds, regardless of the infrastructure it resides on. A DSPM protects the data plane which has become overwhelmingly complex and dynamic in ever-expanding cloud environments. Data is the new currency for business and requires its own security context.

Organizations need both CSPM and DSPM solutions. They are separate but complementary technologies. When a CSPM leverages the rich data context from the DSPM, the security teams can focus on those alerts that impact highly sensitive data, thereby gaining a higher return on remediation efforts.

The two technologies cover different perspectives that are needed to effectively secure multi-cloud environments. One provides an infrastructure-centric perspective. The other provides a data-centric perspective. Both are important parts of a defense-in-depth strategy: CSPM to strengthen your infrastructure and DSPM to protect the data and reduce the blast radius of an attack.

Evaluating Data Security Posture Management (DSPM) Solutions

When evaluating tools that provide DSPM capabilities, there are several things to consider:

  • Plug and Play: there should be no need to provide a list of every data asset, the location, access credentials, or data owner. The system should discover all data autonomously. Its design is to find the unknown.
  • Continuous Automation: finding policy violations and evaluating their risk relative to other violations is not a one-time process. Nor is it something that can be done manually in the cloud. Developers and data scientists are constantly shifting the landscape of what data is where, so a DSPM needs to work continuously.
  • Comprehensive, adjustable policies: a DSPM should provide robust coverage in both the risks it identifies and the asset types it scans. A DSPM should find and notify on the full breadth of risk: overexposed data, unprotected or underprotected data, misplaced data and unmanaged data, and also cover a robust spectrum of CSPs, asset types, and object types. A DSPM’s policies should also be customizable to meet an organization’s particular needs.
  • Guided remediation: security and IT teams have more than enough alerts, so a DSPM should not just find exposures, but also provide full analysis of why the violation exists, evidence for its existence, and technical recommendations on how to fix it. The DSPM should also connect to your existing workflows to make this process as seamless as possible.
  • Agentless: to avoid performance impacts, and to get a complete view of ALL your data, look for a solution with an architecture that is agentless and connector-less that operates asynchronously.
  • Risk-free: a DSPM should utilize serverless functions that leverage APIs to scan your environment, so data always stays in your cloud environment for maximum security.

Laminar’s Data Security Posture Management Capabilities

Laminar’s data security posture management platformprovides consistent data security across Azure, AWS, Google Cloud, and Snowflake, offering uniform security and governance for multi-cloud environments.

When you choose DSPM from Laminar you can customize your own data security policies or rely on our robust, pre-written data security policies that cover: overexposed data, underprotected or unprotected data, misplaced data, and unmanaged data. With this guidance, our solution then continuously prioritizes policy violations with no effort on your part and clearly displays them with easy-to-read dashboards. Laminar also provides technical remediation guidance and can connect with ticketing and workflow systems for a seamless remediation experience as well as send alerts to SIEM and CSPM tools for advanced correlation activities.

Laminar’s industry-leading technology integrates into your cloud infrastructure. Because the discovery engine for Laminar is embedded within your cloud environment, data never leaves your environment. Laminar scans your organization’s cloud using serverless functions that make use of the cloud service provider’s APIs. Furthermore, Laminar is easy to install using cloud-native tools, does not need an agent, and has no effect on performance.

Want to see Laminar’s Cloud Data Security Platform in Action? Request a demo today.

 

What Is Cloud Data Security?

Shifting to the cloud is a necessary step in the digital transformation required for businesses to get and stay ahead. The cloud allows employees to access resources from almost anywhere at any time, enhances data accessibility, improves team collaboration, and simplifies administration. This greatly enhanced speed and flexibility gives developers and data scientists the tools they need to stay at the forefront of innovation. 

However, it is not without its challenges. One of those is data security. This is why cloud data security has become an imperative for businesses that wish to continue to innovate at the speed of cloud while still protecting their most sensitive data: a failure to do so can have a devastating impact on your business’s operation and reputation.

In this article, we learn more about cloud-native data security, cloud security challenges, and best practices for protecting your data in the cloud. 

 

An Overview Of Cloud Data Security

Cloud data security is a new and rapidly evolving security discipline designed to safeguard data, wherever it resides in the cloud. The discipline is focused on protecting cloud data from breaches and compromises while also empowering organizations to leverage that data to meet business goals. To make this approach work, it’s imperative for security teams to understand where the sensitive data is and who has access to it, the overall security posture of that data, and how it is being accessed on an ongoing basis. 

The discipline of cloud data security can:

  • Protect data from external malicious activity intended to steal or hold data hostage, like ransomware.
  • Prevent human error or neglect from enabling data breaches.
  • Reduce the repercussions of any system breach or insider threat by monitoring and blocking unwanted data access.
  • Reduce the attack surface by identifying and eliminating the shadow data that is unmanaged by security, unnecessary and presents a risk to the business. 
  • Prevent privacy and regulatory violations due to data exposure and ease compliance.

Cloud data security is a vital component of cloud security, which, together with cloud infrastructure and application security, along with identity management, forms a cohesive backbone of an organization’s overall cloud security strategy. 

What are the Challenges of Securing Data in the Cloud?

Cloud computing allows for a multitude of technologies which offer a wide range of data ownership and storage capabilities. The complexity and scope of the myriad of technologies that are implemented in the cloud and the scale of speed at which things change make cloud security, and data security in the cloud, incredibly challenging and impossible to do manually. Chief among the pain points organizations experience in cloud data protection are:

1.Data proliferation

Data multiplies quickly in the cloud. Multiple departments can use public cloud platforms, and developers move and copy data into new applications and new environments at the push of a button, all without the knowledge or consent of security or IT. The pace of change is on a daily, if not hourly, basis. The net result is that there are many data assets unknown to security and no consolidated view of data across the cloud environment. It is impossible to protect what you don’t know about. 

 

2.Data policies do not travel 

The sprawl of technology in the cloud is unprecedented. Each of the major cloud providers has dozens of different ways to store and process data, each with its own configurations and controls. Manually applying policies to and protecting cloud data across this broad of a landscape is impossible, and security policies do not automatically travel with the data as it proliferates, they must be reset and re-established with each new copy. In this reality, the only way to apply policies to the data is to provide the policies to developers and data scientists and trust that they will work within those guardrails. But trusting security to others without automated verification is dangerous, especially when security is not their focus. 

3.Opaque data access 

Because the cloud is so complex it’s also very complex to know who has access to the data. It’s easy to know the answer to the question, “what does Fred have access to?” However, due to multiple decades worth of disparate access control technologies on each cloud service it’s very challenging to understand who all has access to a specific data element. Without this knowledge organizations can’t easily limit who has access to the most sensitive cloud data, which leaves a much bigger risk of that data being exploited than is necessary. In addition, when an organization experiences a weaponized third party or insider threat and needs to mitigate the impact, they can’t because they don’t know who has access to that data. 

4.Tracking activity is cost prohibitive & noisy

To monitor your cloud environment for attacks in progress or data leaks you have to track all activity. To track all activity you have to enable logging. If you don’t know where your crown jewels are, your only option is to log everything, which is cost prohibitive, therefore most organizations end up logging nothing. For those who choose to monitor cloud data, regardless of the expense, there is a lot of noise and it is very difficult to pinpoint the source of a threat given all of the noise. As a result, the majority of data leaks go undetected for long periods of time. 

The answer to all of these challenges is to focus on the data. A data-centric strategy simplifies cloud security by giving security teams the means to focus on protecting what’s most important to the organization—its most sensitive data. 

What Makes A Comprehensive Cloud Data Security Strategy?

Many organizations focus on protecting their cloud infrastructure first. This is an important component of a comprehensive cloud security solution set, but given that an organization’s most valuable asset is its data, infrastructure security alone is not enough. To truly protect the data, particularly the most sensitive data, requires a dedicated cloud data security solution

In addition to a solution that is data-centric, solving for the complexity, scope and scale of the cloud also requires a solution that is custom-built for the challenges of the cloud, not just repurposed on-premises data security tools. This solution needs to protect the data across its entire lifecycle, from initial discovery and cataloging to ongoing real-time monitoring for anomalous access. The solution must enforce both preventive and detective controls. Organizations should look for one solution that brings together all of the capabilities of data catalog, data security posture management, data access control, and data detection and response together under one roof and in one unified view. 

Data Catalog for Cloud Security

The first step of securing your cloud data is knowing what data you have. Because of this, it’s important to employ robust data cataloging technology. The data catalog discovers all of the data and everything you need to know about the data, whether that data is located in managed or unmanaged data assets, data caches, data pipelines, Big Data environments, or shadow data (unknown data stores). 

In addition to discovery, a catalog should classify and catalog the data for the information needed to determine how it should be protected. This means uncovering everything from the data type and record to sensitivity and owner. Any data catalog solution worth its weight should do all of this autonomously, asynchronously and without any prior knowledge or effort on the part of the user. The challenge is to find ALL the data, even in places you don’t know it exists and to do that the cloud data security solution must be 100% autonomous, not require agents or connectors to be installed, not require knowledge of access credentials. It’s the hidden, shadow data that is unmanaged and unprotected that attackers are after.

Data Security Posture Management (DSPM)

Now you know what data you have and where that data is, the next step is to implement policies dictating how you protect your data and determining the gaps between stated policy and existing security posture that may be putting sensitive data at risk. Everything from exposure and access to retention period and encryption are set forth in policies that the data security posture management (DSPM) verifies is being met. At the core of DSPM is a policy engine that detects and alerts on data security policy violations and then provides guided remediation. This allows security teams to assess security posture, prioritize data that presents the biggest risk to the business, and remediate issues that actually put sensitive data at risk.

As opposed to a cloud security posture management tool, DSPM policies focus on the data regardless of the infrastructure it resides on. These policies are data-centric based on sensitivity. PCI data should be encrypted, should never be publicly exposed, PII should never be in a development environment or should have a retention period of X years. The data policies are MUCH DIFFERENT than infrastructure-centric policies. 

Cloud Data Access Control (CDAC)

Access in the cloud environment is complex. Organizations seeking a full picture of their data security risks need to understand which entity or entities have access to what data. Data access control capabilities enable the visualization of the data access, and gives data security practitioners the information they need to then explore the ways that data and entities are connected. 

For example, say the DSPM has found a violation where sensitive data is overexposed by allowing a third party vendor access. One of the questions the person looking into this has is what else can that vendor access, or who else has access to that sensitive data—the CDAC can help visualize the answers to both questions. Alternatively, let’s say data detection and response (DDR) alerts on malicious activity in a machine, then the person investigating may want to know what cloud data has been accessed by a malicious actor on that machine with a certain identity. The CDAC would be able to visualize it and simplify it down to exactly what data could have been exposed.

Data Detection & Response (DDR)

The final component of a comprehensive cloud data security strategy is knowing what, if any, current activity is indicative that your sensitive data may be under attack. Data detection and response (DDR) monitors and alerts on ongoing, real-time activities that may indicate data leakage or signs of a potential breach. Unlike similar tools such as extended detection and response (XDR) or endpoint detection and response (EDR), DDR understands which data is critical. It then uses machine learning to detect anomalous activity around this critical, most sensitive data, which allows alerts to be much more specific and greatly reduces noise and cost. 

Partnering With A Trusted Provider For Access To Flawless Data Protection 

The cloud is the best solution for most businesses’ IT infrastructure today. However, 98% of all organizations said in a recent poll that they had dealt with a cloud-related security incident. Laminar provides security teams with a cloud-native data security platform that protects everything they build and run in the cloud. Laminar’s platform is the only cloud data security solution that brings together the capabilities of data catalog, DSPM, CDAC and DDR —offering unparalleled visibility and security. 

The Laminar cloud data security platform is also:

  • Autonomous: Providing automated discovery and classification of all cloud data assets, without requiring any prior knowledge, including managed, unmanaged, and shadow data.
  • Agentless: Architecture that uses an API-only approach and works asynchronously to prevent production and performance implications.
  • Continuous: Providing ongoing monitoring to detect new threats, and reveal new security risks or anomalies in near real time.

With the integrity of the Laminar multi-cloud data security platform, you can quickly discover, prioritize, secure, and monitor your organization’s public cloud data. Laminar is the most comprehensive cloud data security platform for everything you build and run in Azure, GCP, AWS, and Snowflake. 

Discover the Laminar Security Platform for yourself today.

3 Reasons to Add Cloud Data Security to 2023 Cybersecurity Budgets

Why Cloud Data Is So Important

Cloud data is growing at an exponential rate, and attackers have taken notice. Data breaches in 2021 increased by 68% over the year prior. As cloud data continues to grow, so too will the risk of a data breach. If that’s not reason enough to include cloud data security in your 2023 cybersecurity budget, we have three others you may want to consider.

First, let’s establish what we mean by cloud data security. The cloud environment is unique and requires cloud-native, data-centric security that enables organizations to continuously protect their data. A cloud data security solution enables organizations to continuously protect their data by following it as it proliferates in the hands of developers and data scientists who need to copy and move large volumes of sensitive data in the cloud to support innovation.

Given that this data-centric approach to cloud security is still new, we are willing to bet that you haven’t yet factored it into next year’s security budget. Here are three reasons why you should. We also created an eBook that provides additional detail on each and how you can decouple cloud data growth from cloud data risk.

1. Cloud data security is different from data security.

Developers no longer ask for permission when they want to create new data storage assets in the cloud; they just do it, at the click of a button. Security teams lack visibility and the opportunity to ask important questions, implement and enforce data security policies that can protect the data before that data is copied, moved or created. Unfortunately, security controls do not travel with the data, they must be implemented each time. Compounding this challenge is the technology sprawl presented by the cloud. Unlike on-premises data security where there are limited ways that data can be stored and shared, in the cloud developers have the freedom to choose between multiple cloud providers who each have a multitude of services. This can result in a vast cloud infrastructure consisting of myriad different technologies with data here, there, and everywhere.

2. Tedious manual efforts don’t work in the cloud

Let’s face it: a manual approach to security doesn’t work when developers and data scientists can spin up new services at the push of a button. Security breaks down. Compliance suffers. Five main issues drive the need for automation:

a. Manual efforts can’t keep up with the agility of today’s digitally transformed businesses.

b. Security is blind to “shadow data”, the hidden sensitive files that occur when data is copied, backed up, or housed in a data store that is neither governed under the same security structure nor kept up to date.

c. There is no way to validate or enforce data security policies.

d. Security is unable to identify the company’s “crown jewels,” their most sensitive and important data, and put proper monitoring in place.

e. There is no way to easily understand exposure at the data element layer and how to limit access.

3. What you’re doing now is not working

While cloud security spend has increased (estimates tell us that the market is growing at a rate of 25.1% year over year, from $10.98 billion in 2021 to 13.73 billion in 2022), so too has the number of cloud data breaches. As has the cost of a breach. The average cost of a data breach in 2022 is $4.35 million, up 12.7% from 2020, and the 2021 Data Breach Investigations Report from Verizon found that 90% of data breaches target the public cloud.

If current security tools kept your data secure, wouldn’t the number of data breaches decrease over time? Albert Einstein is credited with saying, “Insanity is doing the same thing over and over and expecting different results.” So if your current solutions aren’t working, isn’t it time to consider adding a purpose-built layer of security for protecting your data in the cloud?

To learn more about the three reasons why cloud data security should be in your 2023 cybersecurity budget, download our eBook .

The Future of Data Security: Data-Centric Security

Data protection and cloud security have enterprises running around a giant hamster wheel. They know that they are practically blind when it comes to where sensitive data is in the cloud and how well it’s protected. Meanwhile, data protection teams are crying out for a way to gain a complete and accurate view of their data. It doesn’t seem like such a tall ask, considering that data is at the center of cloud transformation—no matter how you slice it. Yet, still, some companies are living in the renaissance period of cloud security and blissfully unaware of their assets in the cloud.

Setting the Scene

If innovation were a Hollywood movie, data would be the lead actor. Data is inarguably the most critical piece of the puzzle when it comes to innovation within the modern cloud-first enterprise. Most business leaders have wrapped their heads around this concept and recognize the facts; they agree that: In order to give my developers and data scientists the tools they need to innovate, our data must be democratized and we must be able to support new applications on the cloud. While most businesses understand that data is important, that it’s critical to protect and that it is a source of differentiation, they often fall short of understanding what exactly is involved in effective data security. Especially when it comes to sensitive data stored in the cloud, many security teams are still in the dark.

This misunderstanding—or possibly misinformation—leads enterprise leaders to rely on traditional methods of data security. Outdated technology hasn’t adjusted to the new cloud-native environment. This means that data security and privacy workflows, reviews, committees and assessments are all manual. Herein lies a tremendous growth opportunity.

We could discuss the problems with current approaches until we’re blue in the face. Problems of alert fatigue, FUD, friction with developers and of course exposure to data exfiltration and security risks are holding organizations back from reaching their full “cloud potential.” While recent approaches, like Cloud Security Posture Management (CSPM) tools, have brought some useful capabilities for cloud infrastructure—such as VMs, containers, etc.—they don’t address the needs of data security teams who have been left in the dust. Traditional data security solutions and manual processes haven’t adjusted to the new cloud-first environment, which makes the work of the modern analyst much more challenging, and, most significantly, has positioned them as “gatekeepers” rather than “enablers” of business and innovation.

Stuck in the Past

Legacy data security suites have left enterprises ignorant to what sensitive and regulated data they have in the public cloud. This impacts several components of a data security strategy. First, teams are left conducting manual, periodic interviews with application owners to identify sensitive data stores that are out of date (usually days later) as the cloud environment is agile and dynamic as developers and data scientists can make copies of data anytime they want. This is all in a failed effort to determine where their sensitive data lives in the cloud. They’re stuck in a “trust but no verify” approach that is completely manual and unable to keep up with the speed of the cloud.

Second, when securing and controlling cloud data, they often rely on written policies with little to no enforcement. Instead of automated approaches to enforce policies, they have to trust that developers will understand standard policies and properly implement them. They are involved in laborious compliance audits of policies, which can easily leave gaps. Lastly, legacy data loss protection (DLP) solutions only cover email, endpoint and on-premises infrastructure, which means data security teams have limited to zero visibility into potentially ruinous data leaks in IaaS and PaaS environments.

Third, security teams may be thought of by others within the organization as a hindrance to business and innovation. While leadership can preach all day to stakeholders and marketing about the importance of security, there can be a disconnect between security teams and other decision-makers when it comes to acting on the platitude. Security might seem like a great idea “when we get to it,” but when it comes to enacting security best practices, leadership might not want to risk possible disruption that would slow or even stop a project. Without the right tools in place, security teams can feel like they are fighting an uphill battle, which can be discouraging and lead to neglect of pertinent issues just to reduce friction with colleagues.

A Place in the Future

Where does this leave the modern enterprise that wants to gain a complete and accurate view of all assets on the cloud to move innovation forward? A cloud-native, data-centric approach will take organizations from the past to the future of data management and protection. Let’s break down the components of a forward-thinking, modern approach to cloud security.

Eat, Sleep, Breath Cloud

There’s no arguing that cloud is integral to most businesses today. Thus, a modern data management approach must start by integrating fully with the public cloud itself, using modern, cloud-native approaches. Within virtually every enterprise are hundreds of technologies and apps that store, use and share data in the cloud. These tools can be managed by cloud service providers (AWS S3 buckets, Google Cloud Storage, Azure Blob Storage, etc.), IT (AWS RDS) and even developers or operations teams (database that runs on an EC2 or a Kubernetes node). Furthermore, each technology is configured and used differently on a daily basis. These architectures are complex, dynamic and constantly changing, which increases risk dramatically over legacy data management.

For this reason, a cloud-native tool or application is critical for companies seeking a place in the future. A cloud-native tool or application is designed to capitalize on the characteristics of a cloud computing software delivery model. They utilize the cloud service provider’s (CSP) native APIs that are designed to meet these needs. While cloud-native data security solutions aren’t mainstream yet, they’re gaining traction among larger, established organizations that recognize their unmatched value and their unique ability to discover, classify, secure and control the data that lives in the cloud more deeply.

Full Visibility

If security teams don’t know where their sensitive data is, who has access to it and can’t understand the risk posture associated with certain assets, how can they expect to know about leaks and vulnerabilities in a timely manner? Gaining that deep, all-encompassing visibility into every piece of organizational data stored in the cloud—whether that data asset is managed by the cloud provider, if it’s a formal data store or in compute or if it’s public or isolated—and continuously monitoring the movement and management of that data is the most effective way to stay nimble and reduce the attack surface. For companies living in the “future” of cloud data management, this means connecting security tools directly with their cloud account to agentlessly scan the entire cloud environment and autonomously discover all data stores. Autonomous solutions are critical as cloud environments are agile and dynamic where security teams and even application developers are not aware of the typically thousands of data assets in their cloud accounts. Many data management solutions will automatically scan known datastores with the right credentials to gain access, but only autonomous solutions discover ALL resources without knowledge of the environment. Achieving this level of visibility without disrupting workflows is huge in terms of moving security teams away from a gatekeeper persona to business enablers.

Putting the Pieces Together

Collecting and analyzing all data assets is just the first step toward a more advanced, forward-thinking approach to data security in the cloud. Modern cloud-native solutions are also able to autonomously scan all of those discovered pieces of data to understand where to focus first—the most sensitive data and the most critical issues—and present that information to security analysts. Cloud-native tools can also autonomously scan audit logs, network flow logs and various data sources in order to build a profile for every data access point. A cloud-native, agentless approach allows data security teams to detect leaks and remediate them faster by monitoring unwanted data access in real-time by analyzing access logs for anomalous activity. Cloud security teams are no longer stuck in an environment of alert fatigue and burnout because they finally have eyes on all of their sensitive data at any given moment.

Without the right tools, today’s security professionals will continue to live in fear of the unknown, like unknown data repositories (what we call shadow data) that can be targeted with the least odds of detection. Security teams are afraid of being out of the loop and susceptible to breaches. This creates tension between security teams and the rest of the enterprise. But with the right tools, security teams can champion digital transformation and innovation and truly become heroes within their organization.

Cloud Data Security: The Cost of Doing Nothing

The world has changed dramatically over the past couple of years—especially in the areas of business and technology. The COVID pandemic accelerated digital transformation and forced a shift to a remote or hybrid business model, leading to a significant spike in the adoption of public cloud services. Gartner estimates that public cloud services spending will increase by 47% from $270 billion in 2020 to a projected $397 billion in 2022.

Cloud services and data have been essential for enabling remote workers to maintain productivity, but it is also a double-edged sword that could lead to complexity, excessive costs and unnecessary security risks. With increasingly more data  getting stored in the cloud, it is also becoming increasingly challenging for IT teams to effectively manage and protect it all. The result is a breach culture that is only going to get worse.  The cost of maintaining the status quo or doing nothing increases daily.

Cloud Data Challenges

Cloud platforms and services have been a lifesaver for businesses during the pandemic. Companies have embraced cloud services to provide accessibility, streamline productivity and increase operational resilience for employees working remotely.

However, for most organizations, the rapid adoption of cloud services came with consequences as well. Visibility was sacrificed and security was compromised in the name of expedience. The percentage of corporate data stored in the cloud has doubled from 30% in 2015 to 60% in 2022 and continues to grow.

The data sprawl results in unknown and unmonitored data stores. Cloud services and DevOps practices enable end users to self-provision applications and services and allow developers to spin up new databases at the push of a button. Our State of Public Cloud Data Security Report 2022 found that less than half (49%) of the survey respondents claimed to have full visibility when developers spin up a new data repository. More than a third (35%) reported partial visibility, while 12% indicated they have no visibility at all.

Not So Hidden Cost of ‘Shadow Data’

The complexity and lack of visibility results in “shadow data.” Test environments, cloud data store backups, remnants of cloud data migration, data logs and other artifacts consume resources.

Unfortunately, cloud data storage is not free. There is a real cost of unknown and unnecessary cloud storage. One of our customers acknowledged that they will save $115,000 per year by eliminating shadow data and consolidating data stores.

Shadow data also introduces an increasing cost of additional risk. These unknown data stores often contain sensitive information like customer or employee data, financial information, intellectual property, or other classified or confidential information.

Unfortunately, the mantra that “you can’t protect what you can’t see” is very true. IT and data security teams can’t possibly enforce policies, monitor access or protect data of which they are unaware. That is why more than 4 out of 5 (82%) of the senior data security professionals we surveyed revealed they are concerned or very concerned about shadow data.

The pace and scale of data breaches continue to grow—along with the cost of being breached. According to the annual Cost of a Data Breach Report from the Ponemon Institute, the average cost to remediate a breach was $4.24 million in 2021. In addition, the 2021 Data Breach Investigations Report from Verizon found that 90% of data breaches target the public cloud.

There is also a less tangible cost in terms of efficiency without clear visibility of cloud data. With a clear understanding of where data is stored, IT and data security teams can focus on speed of access—which improves productivity and streamlines operations.

Doing Nothing Is Costly

There are significant and essential benefits from cloud services and applications. Even if everything could somehow go back to the way it was before the pandemic, few businesses would choose to do so. While the circumstances that drove much of the digital transformation and cloud adoption over the past couple of years have been tragic, they forced organizations to make changes that have resulted in improved productivity and efficiency.

However, shadow data and cloud data security are very real problems. In a best-case scenario, shadow data results in unnecessary expenses for cloud storage resources, and in a worst-case scenario, the unprotected data could lead to millions of dollars in costs to remediate and recover from a data breach.

With cloud services here to stay, what’s important is that data security teams have the visibility and tools to effectively mitigate and manage cloud data risks. Organizations need cloud-native security to automatically and autonomously discover all data across the cloud ecosystem and recognize and classify PII (Personally Identifiable Information) and other sensitive data. Autonomy is important as these assets are unknown to data security. Once they have full visibility, they can prioritize data stores based on sensitivity and exposure to risk, enforce data security policies, and monitor data access and egress to detect and alert on suspicious activity.

Maintaining the status quo is a bad strategy. The cost of doing nothing is an expense few organizations can afford.

Best Practices for Effective Cloud Data Security

Digital transformation and the shift to the cloud have accelerated in the past couple of years due to COVID-19 and the remote, work-from-home business model. Gartner projects that companies will spend nearly $400 billion on public cloud platforms in 2022.

The more organizations embrace the cloud, the more data is stored in the cloud. More than 60% of corporate data is stored in the cloud today, which is double what it was just seven years ago—and that figure continues to grow.

There is enterprise data security on-premises and cloud security for infrastructure, but nothing secures data for everything you build and run in the cloud. While developers and data scientists have free reign to capture, copy and manipulate sensitive data in public cloud environments, security and data teams have lost visibility and have much less control.

Challenges of Protecting Data in the Cloud

Adapting to the cloud has created a number of unique pain points for organizations in terms of data protection. For one, there is a serious lack of visibility for the IT teams tasked with data security. Multiple departments can use SaaS (Software-as-a-Service) applications and cloud storage platforms, and developers can spin up new databases without the knowledge or consent of IT. The net result is that there is no consolidated view of data across the environment.

The problem is exacerbated by a lack of context that leads to an inefficient allocation of resources. After all, not all data is created equally. Some data is more sensitive or confidential and deserves greater protection. Still, security controls are often applied uniformly for the entire environment rather than understanding the context and prioritizing data security efforts accordingly.

Cloud computing and digital transformation have dramatically expanded the exposed attack surface that IT teams need to defend. The exposure of data across a hybrid or multi-cloud environment, combined with the lack of comprehensive visibility, makes it impossible to assess your data security posture accurately. The complexity of the environment also makes it virtually impossible to monitor for attacks in progress or detect data leaks effectively.

Protecting data across an increasingly complex web of platforms and applications is a challenge. Organizations need to find the balance and take advantage of the agility and scalability of cloud computing without sacrificing data security.

Cloud Data Security Methodology

The Laminar Cloud Data Security Methodology provides a framework and strategy for assuring data security in the cloud. Effective data protection is dependent on four primary pillars: Discover, Prioritize, Secure, and Monitor:

  • Discover: It seems both obvious and trite, but the reality is that you cannot protect what you can’t see. Effective data security in the cloud begins with knowing what data you have, who owns it, and where it is located. Data security and data governance both require that you have a way to find, characterize and classify known data and “shadow” or unknown data across your entire environment.
  • Prioritize: Once you have comprehensive visibility of your data, you need to understand the context of the data and prioritize protection accordingly. You should analyze the data and where and how it is used and allocate data security based on a variety of factors, including the sensitivity of the data, the current security posture, governance, and compliance mandates and exposure.
  • Secure: You need to strengthen and maintain your data security posture. This means reducing and minimizing the attack surface and enforcing data security best practices and established data policies.
  • Monitor: There is no perfect defense. Attacks will still happen despite data policies and best practices. Effective cloud data security also requires vigilance—detecting new data assets or changes to existing assets. The IT teams tasked with data security should continuously monitor the environment for access anomalies and indications of data leaks or compromise.

Effective Cloud Data Security

The cloud is not optional at this point. Organizations need to take advantage of the accessibility, agility, scalability, and cost-efficiency to remain competitive. However, it is also important to effectively manage security and data protection across this expanding and increasingly complex environment.

Cloud-native data requires cloud-native protection and data-centric cloud security.  Modern-day cloud data protection solutions must go beyond identity and access management and basic security controls for accessing cloud applications and services and address the unique challenges of protecting data in the cloud.

Organizations need complete data observability for everything in their hybrid, multi-cloud environments. Data protection teams have to have tools in place to autonomously discover and classify new datastores for complete visibility, prioritize risk based on data sensitivity and risk posture, secure data by remediating weak controls, and actively monitor for egress and access anomalies. The Cloud Data Security Methodology is a crucial component of that strategy. It is essential for enabling data security teams to reduce the attack surface, detect data leaks in real-time, and regain control over their data.

Learn more about how customers have successfully implemented Laminar’s cloud data security methodology in just six weeks. Schedule a demo today!

The State of Public Cloud Data Security – Complex and in the Shadows

Public cloud services adoption has surged in the past two years from $270 billion USD in 2020 to an estimated $397 billion in 2022. This fast-paced transformation gave way to the rapid development of digital products and services — but didn’t come without compromise.

IT was rapidly implementing new models in the cloud, including hybrid work, and diluting security controls. With their heads in the clouds focused on bringing in more revenue for their organization, security professionals unknowingly put themselves at risk. IT and security now lack visibility into where cloud data is stored and whether databases contain sensitive information.

But how can you protect what you can’t see?

In 2021, companies faced a 50% rise in attacks, and cyber risks are now the No.1 concern for businesses of all sizes. What is abundantly clear is that organizations need a better security strategy to gain visibility into their sensitive data, enable digital business growth and safeguard their valuable cloud-enabled data stores.

To gain a deeper understanding of problems plaguing organizations with public cloud infrastructure today, Laminar released the first-annual State of Public Cloud Data Security Report. We heard from 500 security professionals on their perspective of the current weak and fragmented state of public cloud data security and their concern over lack of visibility.

Here’s what we learned:

1 in 2 Respondents Experienced a Cloud Breach in 2020 or 2021.

Digital transformation has become a breeding ground for adversaries. In our survey, 50% of respondents acknowledged that their cloud environments were breached in 2020 or 2021, with 13% saying they were unsure. Five percent also said they preferred not to answer, likely indicating that they, too, had been breached.

Hackers are Increasingly Looking to Build on Past Results

Of the respondents who had been breached, 58% said their cloud data had been knowingly leaked and/or exfiltrated.

With that data, adversaries are creating detailed profiles on individuals on the dark web, buying and selling user credentials and mining data for further vulnerabilities. In turn, cybercriminals are then able to commit greater harm or launch repeat attacks.

Organizations are Struggling with Cloud Complexity

Amazon Web Services (AWS), Google Cloud Platform, Microsoft Azure, IBM Cloud and Oracle have gained the majority of companies’ cloud business and each offer hundreds of services. Organizations typically engage with more than one vendor in order to gain access to a broader mix of capabilities, align spending with a chosen vendor’s expertise and reduce risk.

With 56% of respondents working with two or more cloud service providers (CSPs), many are struggling with a complex infrastructure design.

The Vast Majority of Data Security Professionals Expressed Concern Over Shadow Data

Shadow data is company data that is likely copied, backed up or housed in a data store that is not governed, under the same security structure, nor kept up-to-date. Our survey found 82% of respondents are extremely or very concerned about shadow data.

It is a concern that is well-founded: less than half (49%) of respondents have full visibility when developers spin up new data repositories, only about 35% have partial visibility and 12% have no visibility at all.

Public Cloud Data Needs Cloud-native Tools

The survey revealed that data security professionals are struggling to keep pace with cloud data growth. To address digital transformation, gain visibility into data and adequately protect themselves, organizations must adopt cloud-native security solutions.

Among survey respondents who had adopted such solutions:

  • 49% believed that cloud-native security solutions are dynamic, effective and extremely scalable
  • 46% state that they are asynchronous and don’t disrupt data traffic flow or performance
  • 44% say they are agentless and API-based, resulting in lower total cost of ownership (TCO)

Company Leaders are Seeing the Light

The one upside of organizations experiencing a drastic increase in cloud security breaches is that it has increased executive and board of directors’ buy-in for cybersecurity. Half of the companies surveyed have experienced an increase in buy-in over the last two years, and 81% of respondents have reported a >40% security budget increase since January of 2020.

How Laminar Can Help

Companies have opened Pandora’s box when it comes to the public cloud, security teams can’t simply shut it and reduce their use of public cloud services or consolidate cloud providers. To do so would halt digital transformation progress.

Our survey illustrated the benefits of cloud-native security solutions. Laminar’s platform is uniquely designed to protect sensitive data for everything organizations build and run in the cloud. We work with all public cloud infrastructures, all cloud data types and all data policies. As a result, teams gain a single solution to protect and control their multi-cloud holdings.
Download the full report