3 Reasons to Add Cloud Data Security to 2023 Cybersecurity Budgets

Why Cloud Data Is So Important

Cloud data is growing at an exponential rate, and attackers have taken notice. Data breaches in 2021 increased by 68% over the year prior. As cloud data continues to grow, so too will the risk of a data breach. If that’s not reason enough to include cloud data security in your 2023 cybersecurity budget, we have three others you may want to consider.

First, let’s establish what we mean by cloud data security. The cloud environment is unique and requires cloud-native, data-centric security that enables organizations to continuously protect their data. A cloud data security solution enables organizations to continuously protect their data by following it as it proliferates in the hands of developers and data scientists who need to copy and move large volumes of sensitive data in the cloud to support innovation.

Given that this data-centric approach to cloud security is still new, we are willing to bet that you haven’t yet factored it into next year’s security budget. Here are three reasons why you should. We also created an eBook that provides additional detail on each and how you can decouple cloud data growth from cloud data risk.

1. Cloud data security is different from data security.

Developers no longer ask for permission when they want to create new data storage assets in the cloud; they just do it, at the click of a button. Security teams lack visibility and the opportunity to ask important questions, implement and enforce data security policies that can protect the data before that data is copied, moved or created. Unfortunately, security controls do not travel with the data, they must be implemented each time. Compounding this challenge is the technology sprawl presented by the cloud. Unlike on-premises data security where there are limited ways that data can be stored and shared, in the cloud developers have the freedom to choose between multiple cloud providers who each have a multitude of services. This can result in a vast cloud infrastructure consisting of myriad different technologies with data here, there, and everywhere.

2. Tedious manual efforts don’t work in the cloud

Let’s face it: a manual approach to security doesn’t work when developers and data scientists can spin up new services at the push of a button. Security breaks down. Compliance suffers. Five main issues drive the need for automation:

a. Manual efforts can’t keep up with the agility of today’s digitally transformed businesses.

b. Security is blind to “shadow data”, the hidden sensitive files that occur when data is copied, backed up, or housed in a data store that is neither governed under the same security structure nor kept up to date.

c. There is no way to validate or enforce data security policies.

d. Security is unable to identify the company’s “crown jewels,” their most sensitive and important data, and put proper monitoring in place.

e. There is no way to easily understand exposure at the data element layer and how to limit access.

3. What you’re doing now is not working

While cloud security spend has increased (estimates tell us that the market is growing at a rate of 25.1% year over year, from $10.98 billion in 2021 to 13.73 billion in 2022), so too has the number of cloud data breaches. As has the cost of a breach. The average cost of a data breach in 2022 is $4.35 million, up 12.7% from 2020, and the 2021 Data Breach Investigations Report from Verizon found that 90% of data breaches target the public cloud.

If current security tools kept your data secure, wouldn’t the number of data breaches decrease over time? Albert Einstein is credited with saying, “Insanity is doing the same thing over and over and expecting different results.” So if your current solutions aren’t working, isn’t it time to consider adding a purpose-built layer of security for protecting your data in the cloud?

To learn more about the three reasons why cloud data security should be in your 2023 cybersecurity budget, download our eBook .

What’s that you say? Overheard in the halls…of cyber conferences.

Events are back, big time, including the last event I attended, Black Hat USA in Las Vegas. Which was an absolutely packed house! COVID schmovid! – Don’t stop, won’t stop…attendees from cramming into the Mandalay Bay Hotel and Convention Center. All of us were chomping at the bit to get back out there to talk in person, learn new skills and network with thousands of other InfoSec professionals and evaluate an awe-inspiring (and yes, somewhat overwhelming) amount of security products and solutions.

I should mention that I’ve been to hundreds of events over my 10+ years as a field marketing professional, and at this point I feel like I’ve seen and heard it all. That’s why I thought it would be fun to share some of my observations in a more lighthearted manner. If you are up for some chuckles and learnings, check out my highlights reel of statements “overheard in the halls of cyber conferences,” backed up with results from a 2022 Security Professionals Insight Survey Laminar conducted of over 400+ cybersecurity professionals at Black Hat USA and AWS re:Inforce.

“The vendors with simple, clear, and focused offerings are the ones that stick to my mind. So many companies are trying to do 30 different things.”

That’s right folks, stick to what you know and do it well.

Focus. Simplify. Streamline.

The race to the cloud has created a domino effect for data proliferating within that cloud, security teams haven’t been able to keep up with the pace. AND, before you even know it, with the subscription to a few cloud services and the click of a few buttons, security has become a mere afterthought. Public cloud data security adoption is severely lagging public cloud usage, creating gaps for attackers to sneak in an exploit.

So here is some focus, simplicity, and clarity for you. It’s time to secure your cloud data. Fortunately, focusing on the best ways to help our customers secure their cloud data is all we do at Laminar. We don’t do anything else, so we can do it

really, really well. And when two-thirds of security professionals have data in the public cloud, that’s a focus that’s sorely needed.

2022 Security Professionals Insight Survey Response: Nearly two-thirds (65.1%) of respondents said they currently have data resident in the public cloud (Amazon Web Services, Microsoft Azure, or Google Cloud Platform). With public cloud adoption having a compound annual growth rate (CAGR) of nearly 26%, it’s surprising that respondents haven’t yet hardened data security for these assets. Less than half (40.3%) said that they had a public cloud data security tool in place to monitor for insider and outsider threats and data exfiltration.

  • Over one-third of organizations are not sure if an internal employee accidentally accessed sensitive data in the public cloud in the past months
  • Over a third are not sure if they have had a data exfiltration

“Black Hat is BACK” + “It’s so nice to see users walking around, not just industry professionals.”

The pandemic sure did a number on Black Hat attendance and how the event was executed over the past two years. 2020 was 100% virtual and 2021 was dismally attended with a large virtual component. It’s safe to say that this year was an immense success, both in person and virtually…so ya…Black Hat is BACK and people were there to network and learn!

The pandemic has shifted how people work. Far more of us are choosing to work remotely part of, if not all of the time. Just like how a lot of conferences now take a “hybrid” approach to their event that gives attendees the option to come in person or remotely, this shift has also required organizations to support a hybrid work model. This new approach to work demands a different approach to cloud data security because it has accelerated public cloud adoption, removed the perimeter, and created huge blindspots for security teams.

2022 Security Professionals Insight Survey Response: Nearly two-thirds (62.3%) of respondents said their organizations have a hybrid work model, while another quarter (25.9%) are fully remote. As a result, data is outside the control of the traditional on-premises security perimeter and must be secured and monitored with new, cloud-native solutions.

“With all the hackers about, it might be safer to text going forward.”

This statement shows how little most people know about how hacking actually works. And yes, I did actually hear this at a security conference. But my point is: for anyone who doesn’t know how hacking works, how on earth would they be expected to know that they need a cloud data security tool to monitor and mitigate the insider threats to their data? Many people focus on the “boogeyman” threats to their data without understanding that cybersecurity is a lot more basic, and boils down to one basic theme: visibility.

According to Gartner, through 2023, 75% of cloud security failures will result from inadequate management of identities, access and privileges. That’s sobering news given that securing one’s cloud falls to the customer, not the cloud provider.

2022 Security Professionals Insight Survey Response: 59.6% of security respondents simply do not have a public cloud security tool to monitor inside threats or are unsure if they do.

As you absorb these thoughts, ask yourself what you are going to do to protect your organization from the insider and external threats lurking in your public cloud. How will you discover, prioritize, secure, and monitor data used and stored across multi-cloud environments? It’s time to get ahead of the game to protect the attack surface so that your organization can boost efficiency, collaboration, and reduce costs to stay competitive in this roller coaster of a market.

Stay awesome.

If you liked what you saw here, then be sure to share with your co-workers and friends because we want to hear from you! Follow us on Twitter @laminarsec or find us on LinkedIn. And definitely, don’t forget to @mention us when spreading the word!

Street cred to the following for helping me with this blog: Philip Gavlan (CDG), Fitz Barth (Laminar).

Cloud Transformation & Data Democratization: Rising Above the Waves When Megatrends Collide

Ever wonder what happens in an age of disruption when you mix a global pandemic with megatrends?

A significant rise in the number of disruptive and sophisticated attacks, that’s what! (Note to self, many of these attacks could have been avoided with the appropriate security embedded throughout the business.) Still work to be done…sigh.

The global pandemic has created a perfect storm of conditions for threats to data in the cloud. This new wave of threats, compounded by the accelerated rate of the megatrends of cloud transformation and data democratization, is giving rise to a whole new set of risks which has also been dubbed the “Data Attack Surface,” or as I think about it,the “Bermuda Triangle.” These two megatrends are defining the course of progress for enterprises of all shapes, sizes, and industries. It’s abundantly clear that these trends have allowed enterprises to support more remote work, enhance customer experiences, and generate immense value. All a huge plus in my book!

Rising above the waves of a perfect storm.

The data attack surface is the biggest cloud security risk to your organization. As digitization accelerates, data, that small four letter word (seemingly so innocent) continues to grow exponentially. I mean, most of us have heard the stat from 2018 that 90% of the world’s data had been generated in the two years before that alone. Data growth hasn’t really slowed down since then. And, most of that data is getting dumped into the cloud (social media, communication, digital photos, services, IoT, etc). Combine that explosion in the volume of data with the increased potential for misuse by users given the lack of traditionally trained data gatekeepers, and the risk increases exponentially.

This massive increase in risk to data in the cloud means security teams are faced with a perfect storm at their doorstep in the amount of data to track and protect. To make things even more challenging—do you even know where that data resides? Or what type of data it is (e.g., crown jewels)? Who is responsible for it? Who has access to it? What is its security posture? Like security teams don’t have enough to worry about already.

That’s a lot of questions to answer in regards to visibility and security of the data attack surface, which is now the most challenging aspect of cloud security.

Three years into the pandemic, and well into our megatrends, I believe we are now in the eye of the storm. Which means that now is the time for security to act swiftly and quickly without delay to contend with the complex issues of data in the cloud and sophisticated attackers. Time is of the essence. Act now before the calm has passed.

I mean, do you really want to find out the hard way?

Didn’t think so…Time to seize the day and surf the waves of this perfect storm by creating a framework for discovering, prioritizing, securing, and monitoring your cloud data. Surf’s up!

If you are interested in learning more about cloud data security solutions that can help you ride the waves of this storm, Laminar can help. You can either schedule a demo with us or find us in person at InfoSec World, September 26-27.

Now in its 28th year, the 2022 edition of Infosec World features seven diverse tracks:

  1. Hackers & Threats
  2. Leadership & Budgeting
  3. Cloud Security
  4. Security Awareness
  5. Risk Mitigation
  6. Critical Infrastructure
  7. Identity

Over 1,500 security professionals from across industry and government are expected to attend, along with keynote speakers Robert Herjavec (CISO of the Herjavec Group), Tomas Maldonado (CISO of the NFL), and Ron Ross (Cyber Fellow at NIST).

Additional pre- and post-conference workshops and summits include topics on ransomware, threat testing, supply chain, cryptocurrency, cloud security, leadership, and zero trust.

Stop By and Watch Our Live Session

Session: Data Risk is Lurking in the Shadows

When: Mon, Sep 26 at 4:00PM–4:25PM

Shadow data is the new shadow IT and it’s leaving undue risk and breaches in its wake. CISO anxiety comes from the fear of the unknown and data security teams have lost visibility into where their sensitive data is in the cloud.

Learning objectives for this session:

  • What is shadow data?
  • How does it occur?
  • Where is your shadow data?
  • How to shine a light on the shadows

Meet Us Here

InfoSec World 2022
September 26-27
Disney’s Coronado Springs Resort
Booth #701
Save Your Spot Today!

If you liked what you saw here, then be sure to share with your co-workers and friends because we want to hear from you! Follow us on Twitter @laminarsec or find us on LinkedIn. And definitely, don’t forget to @mention us and @InfoSec_World, using the #InfoSecWorld hashtag when spreading the word!

Data is the new uranium and data security is vital to protect this new currency.

Data is the new uranium.

I just love a good analogy, don’t you? Let’s explore an analogy I keep hearing over and over again where data is likened to uranium.

As you may already know, data has become one of the world’s most valuable resources and is the new currency of the world. Some claim it’s as valuable as oil. Some suggest that it’s even more valuable than oil and comparable in value to uranium. That’s right, data is the new currency and a good approach to data protection is to think about data as if it is as valuable as uranium. Full stop. Let’s dig into this…and discover why this analogy works so well.

Uranium and data are very dangerous if misused.

Uranium is radioactive, making it hazardous because of its instability and very dangerous if misused. Data can also be misused in many ways, such as by attackers in a wide scale data breach of government or corporate data which could lead to blackmail, reputational damage, financial or other issues to the individuals whose data may have been compromised. The very personal nature of the data that organizations track about their users means that it can be weaponized against the users and against the organizations collecting and using that data. Just look at Facebook, Twitter, Amazon, Google, Uber, Morgan Stanley]—all have very famous examples of data misuse in the real world.

Uranium and data both have actual monetary value

Units of physical uranium are publicly listed on the market and can be bought and sold just like stocks. Data too, can be monetized, as demonstrated by the world’s five most valuable companies dealing in it. Having the right data can lead to ad revenues, product innovation, and just general market domination. Having lots of the right data can make you extremely rich (Apple, Microsoft, Google, Amazon, and Facebook).

Uranium and personal information are powerful sources of “fuel”.

Uranium is widely used to fuel nuclear energy plants. Data is used to fuel AI adoption and digital transformation. Organizations that harness it well enable their people, their decisions, experiences, technologies, and so on. For the end user like myself, it drives our behavior through the innovations we can experience. It’s used to unlock your iPhone, it drives better customer experiences, it is THE fuel for digital transformation!

Uranium and data must both be controlled and disposed of properly

There are numerous rules around data and uranium, and when they are not being used, they need to be protected and disposed of. Just as one would not use radioactive uranium for unrelated items (i.e., a paperweight), data should not be used outside of its intended purpose. The same goes for disposal: there are very specific ways to dispose of uranium, and increasingly strict laws around the world ensuring that data, too, must be disposed of properly, so it can not be found and reused (or abused) in the future.

Ok, I think you get it now, so what does all this mean?

It’s time to take a closer look at how we secure data and treat it with the value and danger that it can hold. Think about it, you wouldn’t have a haphazard approach to how you keep your uranium secure, would you?The same more strict approach should go for handling data. Digital transformation is an unstoppable force that continues to accelerate and gain momentum…making the fuel that is data directly accessible to just about anyone and everyone who needs it within the organizations that deal in it in today’s world. There are no more “walls” to close off the perimeter, when you move to the cloud everything is an API-first approach. That means that we need a data-centric approach to our security that takes additional steps to ensure the data is safe from improper or harmful use.

Proper permissions are imperative for data, along with full observability in real time, in order to remediate or secure it. 

Educating, training, and proper permissions for security and governance teams to understand and secure cloud data should be top of mind, which will significantly reduce the risk of being compromised. The pace of change alone is so rapid that the data in the cloud is largely invisible to these teams, and cloud data that is unknown and invisible means it is often unprotected, exposed, and vulnerable to both external and internal threats.

Stay in the offense, don’t allow your cloud data to be unprotected, exposed, and vulnerable to breaches. It’s high time you future-proof operations to reach your transformation goals. It’s time to take steps to better understand what data you have, and where it resides. What are you waiting for?

Data is valuable beyond measure, like uranium. 

To sum it all up, I must say one more time—uranium, like data, is extremely valuable and should be treated as such—as one of the world’s most valuable (and vulnerable) resources. This means protecting “your crown jewels,” your most important data, from internal or external corruption and illegal access needs always be top of mind.

Interested in learning more? Check out our next webinar and sharpen your cloud data security knowledge skills!

Meet us here

Data-Centric Security Trends: Secure Your Cloud Data Now
Watch On-Demand Webinar

Save your spot!

If you liked what you saw here, then be sure to share with your co-workers and friends because we want to hear from you! Follow us on Twitter @laminarsec or find us on LinkedIn. Don’t forget to @mention us when spreading the word!

Data Security Posture Management or Cloud Security Posture Management? You Need both DSPM & CSPM

Securing the cloud is complex. Securing data in the cloud is hyper-complex.

That’s why organizations need several solutions. Data security posture management to secure the data. Cloud security posture management to secure the infrastructure. The solutions are very different. They answer different needs. They take different viewpoints. They are both needed to secure your organization.

Here’s why you should look at both as part of your larger cloud security stack. The story is one of contrasts, not comparisons.

Data Security Posture Management (DSPM)

There are dozens of different ways to store data just in AWS. Then you add Azure, GCP, Snowflake. Complexity is then further multiplied and amplified by the speed of data proliferation. Developers and data scientists are using data freely in the cloud. They can now move, copy, and share data in seconds instead of weeks. They can spin up new databases as quickly and as often as they like.

While this has been amazing for the business, it creates a gap in security, because when data proliferates, its security is usually an afterthought. In this new world of cloud operations, security teams need to make sure controls are tight while not infringing in any way on the free, unfettered use of data by developers and data scientists necessary for business innovation.

With DSPM, security teams finally have a solution custom-built just for this challenge. A solution built to protect the data. A solution that is completely independent of the underlying infrastructure that is storing the data. This is important because the data security practitioner doesn’t need to know if data is in RDS or S3 or Google BigQuery. They aren’t worried if it’s on AWS, GCP, Azure or Snowflake. What they do care about: what data is the organization storing, how is it being protected, who should and does have access to that data, what is the risk of exposure and how to fix it.

DSPM is the policy enforcement engine that lets security teams put in guardrails in a way that is data-centric, circumvents the complexity of cloud infrastructures, and easily addresses the challenge of ongoing data proliferation. A fully automated data-centric policy engine (as provided by a DSPM) secures your data at the speed of cloud. With it, data security can focus on the data and the policies that provide the guardrails for protecting that data. For instance, data policies could dictate that personally identifiable consumer data should never be publicly exposed, regardless of the infrastructure within which the data resides.

The DSPM solution then converts these data policies into specific technical configurations and shows the user where the data security policy is currently violated, prioritizes issues for resolution, and helps fix those issues with clear, specific technical remediation instructions.

DSPM policies focus on:

  • Data exposure and access
  • Data obfuscation (encryption, tokenization, anonymization)
  • Data segmentation of the environment
  • Data retention
  • Data proliferation control

With this new tool in hand, the data security practitioner needs only to define a set of data-centric security guardrails, and then let the DSPM do the work of finding violations and monitoring for data proliferation. Say you have social security numbers publicly exposed in an Oracle DB hosted on a virtual machine in Azure. The data security person doesn’t even need to be aware that the virtual machine exists. The DSPM discovers the asset, finds the sensitive data in it, and determines there is a data security policy violation. It determines the priority of violation based on several factors including sensitivity and risk, and engages the relevant team members to help in remediation.

Cloud Security Posture Management

In contrast, CSPM is all about the infrastructure. CSPM tools pull metadata via the cloud provider’s API to obtain visibility into the cloud infrastructure layer only. CSPM controls typically address infrastructure-related operational activities such as ensuring encryption keys are properly and regularly rotated or multi-factor authentication (MFA) has been applied to a critical system. CSPMs also report and advise against using overly permissive account settings for identities etc.

Although CSPMs can detect publicly exposed storage buckets they lack complete insight as to the location of sensitive data stores in the cloud environment, its potential for exposure, or the recommended security posture of the data. For instance, they do not know if and which data should be encrypted, how long it should be retained for, or who should and should not have access. They do not monitor access to sensitive data in the cloud or detect indications of data leakage or exfiltration of these “crown jewels.”

Some concrete examples we have found at our customers about where CSPM and DSPM differ are as follows. One customer has a publicly exposed S3 bucket that was identified by CSPM, but the bucket was supposed to be publicly exposed (public by design) as it was hosting a website. However, we found that somebody internally mistakenly placed highly sensitive data in this bucket that now was also publicly exposed. A CSPM does not catch this as it is not aware of the data elements inside. A DSPM does. Alternatively, there are cases where the S3 bucket is NOT publicly exposed, but the data elements inside can be and actually are. Again, the infrastructure is secure, but the data may still be exposed – we’ve seen both examples many times with our customers’ environments.

The Bottom Line

Organizations need both CSPM and DSPM. They complement each other, and cover different perspectives that are needed to effectively secure multi-cloud environments. One provides an infrastructure-centric perspective. The other provides a data-centric perspective. Both are important parts of a defense in depth strategy, CSPM to keep intrusions out of your infrastructure and DSPM to protect the data and reduce blast radius, even after attackers get in.

See how Laminar helps organizations keep their data secure by providing a complete Cloud Data Security Platform, including best-in-class data security posture management (DSPM).

Can You See Me Now? Time to Shine a Light on the Huge Cloud Security Risk Posed by Your Shadow Data.

Shadow data is the largest threat to your data security that you don’t even know about. There is nothing that is growing faster in the cloud than data.

It only takes one developer to leave an S3 bucket with user data open or leave a redundant copy of data out there after a cloud migration. The result is shadow data that’s just lying around, worst of all, it doesn’t even take an elite hacker to find it. There are automated scans running everywhere on the internet that are constantly looking for weaknesses or opportunities to find this “shadow data.”

According to Flexera 2021 State of the Cloud Report, 92% of enterprises today have a multi-cloud strategy—82% of which have embraced a hybrid approach. Which leaves an open invitation for shadow data to accumulate because of how difficult these environments are to monitor effectively. There are many risks to not having visibility over all of your cloud data, especially shadow data, here are a few: (1) you don’t know what or where sensitive data is located in your cloud environments, (2) the HUGE reputational damage you may face resulting from an unsophisticated attack, perhaps from an attacker that is just looking to make headlines to increase their reputation at your expense, (3) the millions you spent on your security program could be a waste because data was left out there without proper security controls, as someone made a misconfiguration error, and (4) those dreaded, four-letter words (acronyms) GDPR, CCPA, CPRA…a.k.a., the regulatory liability of your data being discovered.

 

Got your attention now?

The first step to combatting this pesky thing called “shadow data” and significantly reducing your organization’s security risk starts with acknowledging and understanding this shadow data. Unmanaged data stores and shadow data are a natural byproduct of the race to the cloud. But with proactive planning there are ways to ensure visibility and protection of this data in all the places it may be hiding.

However, not all solutions for combatting shadow data are created the same. In your evaluation of cloud data monitoring solutions, top of mind should be looking for solutions which discover and classify all data, including shadow data, continuously for complete visibility. It’s also important to find a solution that will secure and control data to detect leaks and remediate without interrupting data flow, automatically improving your risk posture. Be sure to look into platforms that can scan your entire cloud account and automatically detect all data stores and assets, not just the known ones. This data observability allows a deeper understanding into where your shadow data stores are and who owns them, leading to a secure environment and the ability to thrive in a fast paced, cloud-first world.

Headed to Black Hat USA?

If you are interested in a deeper and more holistic understanding of cloud data security, we have three top briefing session picks at Black Hat USA, compliments of our head of solution engineering, Jon Tobin. Check them out!

Backdooring and Hijacking Azure AD Accounts by Abusing External Identities

Speaker: Dirk-jan Mollema, Security Researcher at Outsider Security

Tracks: Cloud & Platform Security, Enterprise Security

This briefing session is relevant to cloud security and in particular it will give insights into cloud access/permissions that allow attacks to exist in Azure AD. The session will also provide solutions to harden against these attacks and detect abuse of the technicalities that eventually lead to the abuse. Find out more here.

IAM The One Who Knocks

Speakers

  • Igal Gofman, Head of Security Research at Ermetic
  • Noam Dahan, Research Lead at Ermetic

Tracks:  Enterprise Security, Cloud & Platform Security

An interesting session about managing identities and access to multi-cloud environments to reduce the attack surface in enterprise cloud environments. Promising to supply actional steps “anyone can follow”, along with a comparison of the three primary cloud services: AWS, Azure, and GCP. Be sure to check it out, you can find more information on the briefing session here.

Better Privacy Through Offense: How To Build a Privacy Red Team

Speaker: Scott Tenaglia, Engineering Manager at Privacy Red Team, Meta

Tracks: Privacy, Lessons Learned

Privacy is an important component of a holistic cyber security program because they test how well the program stands up to threats from real adversaries. If you are looking for a deep dive into privacy, this is a great briefing session to check out to learn: what a privacy red team is, the challenges they face, and examples of real world operations performed by the Meta privacy team. Learn more about this session here.

Meet us here

The Laminar Security team is going to be at Black Hat in full force, and we’d love to meet you to learn about your cloud data security challenges, including shadow data, and how we can partner with you to solve them. Stop by to find out why Laminar is providing cloud data security at the speed of cloud.

Laminar Booth #2500
August 10-11
Mandalay Bay, Las Vegas, NV

Book an Executive Briefing today!

If you liked what you saw here, then be sure to share with your co-workers and friends because we want to hear from you! Follow us on Twitter @laminarsec or find us on LinkedIn. Don’t forget to @mention us and #blackhat or #blackhat22 when spreading the word!

Cloud Data Security Requires 20/20 Vision

No reasonable business leader would ever dream about leaving their logistics software unmanaged or their sales departments to their own devices. Visibility into every aspect of a business—every crevice, no matter how large or small—is critical to the success of any operation. Lack of visibility leaves businesses open to risks in the form of theft, inefficiencies, customer dissatisfaction and so much more.

As the business world continues to thrive on big data—and with more of that data stored in the cloud—visibility into a company’s data is undeniably important.

Data visibility into a self-contained, on-prem system is one thing, but that structure is hard to come by these days. Most modern businesses rely on the cloud to improve flexibility, to increase scalability, and to execute tasks quickly and effortlessly.

As the cloud allows businesses to work efficiently from anywhere at any time, greater access drives higher levels of  risk. Due to increased pace of change as well as sprawl of new cloud tech, an organization’s data will be spread around various places, leaving some data to be more-or-less invisible in a “dark corner.”

Many large brands have already come to face this reality. Earlier this year, SEGA Europe sustained a massive data breach after someone inadvertently stored secure, sensitive files in a publicly accessible AWS S3 bucket. Similarly, a “glitch” caused some Twitter users’ personal information and passwords to be stored in a readable text format on the company’s internal system rather than disguised by their hashing process. The breaches of these two shadow environments show how a little mistake can lead to public scrutiny and damage a brand.

Ignorance is (Not) Bliss

Some may argue that data visibility before the cloud was mediocre at best, often downplayed by poor employee security awareness and inconclusive data protection policies. The introduction of cloud technology highlighted that issue and led to the widespread issue of ever-increasing data breach experienced today.

One of the biggest factors contributing to data breach culture is the sheer absence of comprehensive data visibility. It’s almost become an inevitable outcome—the price of admission, so to speak—that an organization can’t know what’s going on with every piece of data. A lot of professionals have accepted that conclusion as fact.

Often referred to as “shadow data,” hidden sensitive files and programs occur when data is copied, backed up or housed in a data store that is neither governed under the same security structure nor kept up to date. What some have simply accepted as the cost of doing business is turning out to be one of the largest threats to data security.

Shadow data has primarily been a result of four main changes to data culture: The proliferation of technology and its associated high complexity, the limited bandwidth of data protection teams who are falling behind, the democratization of data and the removal of on-prem perimeters.

What Lurks in the Shadows?

While hidden data can be a result of several different situations, it typically occurs when sensitive data— customer information, employee information, financial data, applications, intellectual property, etc.—is copied in an unsanctioned way. When data is copied and stored in a way that makes the files or programs invisible to a data protection team, those assets are unsecured and unmanageable using most modern security tools. Below are a few examples of how shadow data comes about:

  • S3 Backups: Almost every modern business has at least one backup data store that they use as a contingency plan in the case of a breach or damage to its production environment. The backup data store is meant to keep exact copies of production data in case of an emergency. However, these are often left unmonitored and can mistakenly expose large amounts of data to the public, as in the SEGA Europe example.
  • Leftover Data from Cloud Migration: As many organizations move to the cloud, they will deploy “lift and shift” data migration projects, but too often, the original data will never get deleted. This lingering data will remain unmanaged, unmaintained and often forgotten, which can most definitely lead to vulnerabilities down the line.
  • Test Environment: Most organizations have a partial copy of their production or RDS database in a development or test environment where developers are building applications and testing programs. Often, developers need to move quickly and may take a snapshot of some data but fail to properly remove or secure the copied data—or they simply forget about it.
  • Toxic Data Logs: When developers and log frameworks mistakenly copy actual sensitive data into log files, the result is a “toxic” data log. For example, naming the logs with a user’s email address exposes PII that is against policy.
  • Analytics Pipeline: Many companies will store data in some type of analytics pipeline using the likes of Snowflake or others because it improves data recall speed and allows them to manipulate and analyze the data more easily. However, analytics pipelines are typically unmonitored by most security solutions today.

Turning the Lights On

Shining a light into these “dark corners” of a business’ data stores can help thwart data breaches and other inadvertent vulnerabilities. Yes, it’s necessary for modern organizations to enable their employees to move at the speed of the cloud, but that doesn’t mean security has to play second fiddle. Shadow data will occur, but the beauty of modern technology is that new solutions and approaches to decades-old challenges emerge every day.

These solutions are continuously working to discover and classify data and automatically detect all data stores and assets by scanning the entire cloud environment, revealing content in the shadows. Once all data is scanned, these solutions can categorize and classify files and programs and apply sanctioned data security policies that will allow security teams complete visibility and automated monitoring to manage all of a company’s assets effectively.

The number of breaches occurring “in the shadows” today should be enough for a business leader to reevaluate his or her approach to cloud security. Do they know where their sensitive data lives, and do they have the tools and resources to manage it? Having full data observability lets businesses understand where their shadow data stores are, their security posture and who owns them. Doing so leads to data flowing smoothly and safely and the ability to thrive in a fast-moving, cloud-first world.

 

Four Steps to Reinforce Your Cloud Data Security

In today’s world of organizations racing to cloud the dynamic nature of those environments and the sprawl of techt, there is an urgent trend that has surfaced…we need to have stronger and more automated security in cloud-based environments to keep that data safe.

There is enterprise data security on-premises and cloud security for infrastructure, but nothing that secures data for everything you build and run in the cloud. Developers and data scientists are freely and rapidly capturing, copying, and manipulating sensitive data in public cloud environments, which has resulted in security and data teams losing visibility and control over data in the cloud.

Where do we turn to find solutions to help? Thankfully live events are back, as they have been sorely missed, and AWS re:Inforce is right around the corner. This AWS event is a perfect melting pot for learning and networking, and is focused for professionals interested in cloud security, compliance, identity, or privacy. Amazing – an event where you can learn how to reinforce your cloud data security!

Whether or not you are headed to AWS re:Inforce…don’t you want to learn about four surefire ways to reinforce your cloud data security? I mean, then at least you can tune in at the event to learn more about where it’s coming from.

Embed Data Security Into Your Cloud Architecture

With organizations in a race to the cloud to maintain their competitive advantage, challenges in cloud-native and multi-cloud environments are popping up just as fast. By building data security into your cloud architecture you can easily optimize for security. Data will stay safe in your cloud with only metadata sent out.

Discover and Secure Shadow Data

Increasing democratization of data in the cloud is creating one of the largest risk areas, and “Shadow Data” (abandoned, orphaned, and otherwise lost data stored in the cloud) is a primetime example. Discovering and securing this shadow data autonomously is going to give you the advantage you need to gain complete observability so that you can remediate and secure your data across clouds.

Enforce Your Sensitive Data Security Posture

Data Governance teams, tired of chasing people to find out what’s going on? With automated verification of data security posture and guided remediation you can overcome your data governance challenges for everything you build and run in the cloud.

Efficiently Ensure Compliance

Ensuring compliance efficiently can be done by leveraging automated discovery and control. Data Security Posture Management (DSPM) that enforces best data security practices and data policy, guides remediation, and reduces data attack surfaces is definitely the way to go.

In closing, the Laminar team is headed to AWS re:Inforce to learn, network, and meet with folks like you. If you are interested in learning more about how you can improve your cloud data security posture, then book your executive briefing today.

Meet us here

Laminar Exec Briefing Suite
Tue, July 26–Wed, July 27
Boston Convention and Exhibition Center
415 Summer St., Boston, MA 02210 (map)
Save your spot today!

If you liked what you saw here, then be sure to share with your co-workers and friends because we want to hear from you! Follow us on Twitter @laminarsec or find us on LinkedIn. Don’t forget to @mention us and #AWSSecurityInfo or #reinforce when spreading the word!

Data-centric Security: A CDO’s perspective on better data security.

Data is essential for organizations today, and it is the fuel that drives business. Those who are able to run relevant algorithms and analytics on relevant and readily available data,   have a competitive advantage. However, organizations face the challenge of simultaneously streamlining access to valuable data while securing and protecting it. We can meet this challenge by moving to a data-centric security model.

A Better Way to Manage Data

The way we manage and access data today is inefficient. It is messy and chaotic. Organizations have an array of siloed, legacy data systems that are accessed from a variety of platforms. The net result of this system-centric approach to data is a tangled spider web of connections overrun with overlaps and redundancy.

The system-centric approach is unnecessarily complex. It also puts the team or individual protecting the data in the position of gatekeeper. Data security can’t come at the expense of data utility. We want to access and use the data—to get as much value out of the data as possible—which means security needs to be the gate opener rather than the gatekeeper.

How can we improve data security and streamline data access simultaneously? Let’s double-click on that.

Chief Data Officers  (CDO) are accountable to create value with data End-to-End, from data management to data activation and outcome-oriented actions. Whether it is our data lake, customer data, product data, or any other kind of data, CDOs are responsible for that data wherever it sits and as it flows through the activity system of an organization and its broader ecosystem.

The goal is to facilitate access to data as effectively and efficiently as possible. A confusing mix of redundant crisscrossing and point-to-point integrations is certainly not efficient and, in a fast paced environment like the one of most businesses, is not effective either because of the lag between when data activation would have the highest value and when the ad hoc integrations make those data actually available for consumption. I would prefer to have all the data in a single content layer where we can easily manage access and reusable integrations through data access policies and APIs.

Rowing in the Same Direction

Someone has responsibility for managing and activating data in an organization, and someone must secure it. Larger companies and mature enterprises have chief information security officers (CISOs)and CDOs. Still, even in smaller or younger organizations, someone fills similar roles regardless of their titles.

Achieving this goal and changing how we manage and protect data requires cooperation and collaboration. Regardless of the exact roles or titles involved, everyone must be rowing in the same direction.

The Case for Data-centric Security

Fortunately, both CISOs and CDOs benefit from shifting to a decoupled data architecture and adopting a data-centric security model. It is easier for the CISO to maintain visibility and manage security when we remove silos, incentivize reusability and reduce complexity. At the same time, simplifying the flow of data helps the CDO minimize the cost and delays of data transfers, data migrations, and data replication that hinder their team from activating data when it’s most valuable.

Shifting the approach in this way allows the CISO and CDO to have a shared source of truth—a single platform to define their policies and manage both access and security at the same time. It reduces friction and simplifies the process for everyone involved because as long as policy conditions are met, data access can be granted automatically without sacrificing data security.

The data-centric model also accelerates development. When developers want to introduce a new feature in a system-centric model, they must spend time and effort creating redundant data pipelines. In a data-centric model where data access is managed and enforced through policies, developers can skip that part and focus on the feature itself rather than reinventing the wheel every time.

Achieving this goal is not a matter of simply flipping a switch. There is a lot of inertia behind the legacy model of siloed data systems and the system-centric approach to security. This is a transformation, and it only works if the whole organization gets on board with this operating model.

Ultimately, the data-centric model lets us move from gatekeeper to gate opener. We need to get to a place where everyone behaves with a data layer-first mindset. If we can achieve that state, we can focus on enabling access and extracting value from our data rather than worrying about sprawling data silos and struggling with continuous consolidation efforts to reduce risk and increase efficiency..

Cloud Security Product Update: Breaking Three Boundaries for Cloud Data Security

Breaking new boundaries

As Laminar’s VP of Product, I enjoy every time our team achieves new heights. I love innovations that truly add value for our customers. It’s exciting to break new boundaries and redefine what’s possible. Protecting your most sensitive data in a public cloud environment is hard. Engineers and data scientists build fast, collect and process data at huge volumes, are doing the right thing for the business, but don’t always have security and privacy top of mind.

Laminar has been defining a new reality for data security in the cloud across the industry. We have also been providing our clients with innovative, first in class services. As of today, we are widening our lead in the industry with several valuable new capabilities:

  • First to secure cloud data in a multi-cloud environment by adding support for Microsoft Azure.

    Multi-cloud adoption has soared due to the advantages of rapid development and minimal vendor lock-in. Gartner estimates that “more than 75% of organizations use multiple public cloud services today, and have plans to expand.” With this announcement Laminar is first in the public cloud data security market to support multi-cloud, by adding Microsoft Azure support to the existing support for Amazon AWS. This has several advantages for fast-moving enterprises:
    1. Consistent controls: With a single pane of glass across a multi-cloud environment, enterprises can apply a consistent set of data governance policies, no matter where and how that data is collected and stored. This capability empowers teams to move faster, make fewer mistakes, and ramp quicker by mastering less tools.
    2. Levelset Security: Rather than have different levels of security due to different levels of knowledge about the built-in offerings of the public clouds, Laminar provides a consistently high level of data security across all clouds.
    3. Cloud Data Catalog: Laminar creates a cloud data catalog across clouds, across tech stacks, and physical locations that contributes to true data democratization.
    4. Guided remediation: Remediation recommendations include the exact set of actions needed for that exact cloud environment, thereby increasing the efficiency of security and governance teams.
  • First to offer a full suite of data-centric security policies

    While most cloud security approaches define security policies at the infrastructure level, Laminar is now the first to offer a full suite of data-centric policies that are automatically enforced. These data-centric policies are geared towards preventing the breach or leakage of sensitive data, regardless of the cloud infrastructure that stores it. Focusing on securing the data as opposed to the infrastructure is at the root of Laminar’s Cloud Data Security Platform and enables many advantages for security teams:
    1. Increased focus and efficiency: Data-centric policies allow security teams to focus on what matters. For example, an infrastructure-centric policy would specify that all S3 buckets would not be publicly accessible. Such a policy then drives tedious, manual processes to figure out if a publicly accessible bucket was designed to be so, and what data it might store. The related but enhanced data-centric policy, that is based on a deep and precise data catalog, would only trigger when actual sensitive data is accidentally publicly exposed, regardless of where it’s stored.
    2. Process simplification: A single data-centric policy replaces multiple infrastructure-centric policies such as a policy per data asset type and per cloud environment. Thus, A data-centric approach greatly simplifies the policy setup process. In a world where security practitioners are a scarce resource, simpler, more focused processes translate into enhanced security.
    3. Reduction of risk: While securing the infrastructure and the application environment are important to prevent and stop attacks, data-centric security policies enable organizations to make sure data is not mismanaged so that at the event of a breach, blast radius is greatly reduced.
  • First to discover and classify data in self-hosted, embedded databases

    “Shadow Data” encompasses data that is not tracked by IT yet might contain sensitive information. A major category of Shadow Data is databases that are embedded into cloud compute instances (AWS EC2s or Azure VMs). As developers rapidly iterate, they easily spin up embedded, hidden data assets that are most often unprotected – and targeted by threat actors. With this announcement, Laminar is the first to support the discovery of these data assets wherever they are located, and the asynchronous, autonomous mapping and classification of the data that is stored in those assets. This has several advantages for dynamic development environments:
    1. Uncovering Shadow Data: Laminar uncovers new as well as abandoned embedded databases spun up by developers, and untracked by security teams.
    2. Autonomous: The platform autonomously and continuously discovers all data assets as they are created by developers or data scientists. Laminar is unique in being able to access data assets even without requiring users to provide credentials such as passwords. The security team is always up to date without any manual steps.
    3. Pinpointing abandoned “Lift and shift” data assets: As legacy systems are “lifted and shifted” to the cloud and then upgraded to cloud-native resources, the result is typically abandoned yet highly sensitive embedded databases that are both untracked and at high risk. Laminar ensures that these data assets are discovered and protected by default.

These are not the last firsts

In closing, I anticipate many, many more firsts with Laminar. I further anticipate that we will continue to define the public cloud data security market, and continue to provide our clients with the best cloud data security platform and services in the market.