The appeal of cloud environments is the nature of a “set-it-and-forget-it” way of working. The responsibility of running and maintaining infrastructure becomes hosted, taking a big weight off your shoulders.
It’s not a surprise that many enterprises assume that with the flexibility and ease of cloud operation comes less responsibility for the management and protection of that data. Unfortunately, that’s not the case.
As we’ve discussed, too many enterprises are being taken by surprise when they discover that their cloud service provider’s end-user license agreement (EULA) doesn’t provide the level of protection they had assumed. The EULA is designed to protect the CSP and does not necessarily focus on the protection of the customer.
Moving your data from on-prem to the cloud doesn’t change the fact that that the data is still your responsibility. Whether you own a home or rent, you’re still responsible for keeping your doors locked at night. The same is true for the cloud. You’re paying the CSP to store your data inside their data center and to access their automation and orchestration tools. Their responsibility focuses on keeping the hosted environment up, running, and protected. Your data is not included in their responsibility.
Your responsibility as an end-user is the protection and management of the data in these hosted environments. Ransomware attacks and compliance regulations fall under your purview, not the CSP.
So, what are the best approaches to protecting and classifying data in the cloud? How can you sleep better at night knowing there isn’t information hiding in your dark data that violates GDPR’s “right to be forgotten” provision? It starts with understanding the responsibilities that fall to you, not your CSP, and then implementing a plan to ensure your data is properly managed and protected.
Yes, “it” can happen to you.
The “it” could be a fine for non-compliance with various regulations or a ransomware attack.
When I talk with companies about being compliant with GDPR or CCPA, many of them shrug it off. They either think they’ll never get fined or believe those regulations don’t apply to them. This is concerning and short-sighted for several reasons. First, GDPR fines are increasing in frequency and aren’t just targeting big tech companies anymore. Second, many global companies are surprised to learn that GDPR does, in fact, apply to them. Even if they don’t have a physical presence in the EU, if they have a data warehouse that stores data on EU citizens, they must comply with GDPR. That’s why it’s incredibly important to have visibility into your data and understand what information you have on EU citizens.
Ransomware attackers are getting smarter. Attacks are increasing in frequency, sophistication, and scale, and the associated costs are also rising. Attackers know that companies are storing more mission-critical data in the cloud, and attacking a single cloud platform gives them access to many thousands of potential “victims.” While CSPs do offer a layer of protection, they do not assume full responsibility for losses. AWS calls out specifically that securing data and systems on their cloud is a “shared responsibility.” Companies should ensure their cloud-based workloads and data are protected and recoverable at the same level as their virtualized or on-prem resources.
When ransomware strikes, the ability to quickly locate mission-critical or sensitive data is paramount. With a solid and secured protection strategy, you can buck the malicious actors to the curb because whatever they hold hostage, you have a secondary copy of elsewhere. Also, with the right tested recovery strategy, you can avoid paying and quickly return to normal business.
The mandated security that used to come with a generic segmentation offload and firewalls behind four walls is now an afterthought and expectation of the end-user in CSP environments. You are no less a target for ransomware in the cloud, you might even become a larger one.
Classifying data seems tedious and painful, but it doesn’t have to be.
To effectively tackle issues such as ransomware or regulations, the ability to locate and act on data easily is key. This is where automated data classification comes into play. The sheer amount of data in your environment can feel like you’re looking for a needle in a haystack. And some companies do the bare minimum organizing their data landscape in an effort to pass a compliance audit. But in many cases, they’re still left with vast amounts of dark data, which causes two issues. One, it’s failing to deliver value to the business. Two, it can be potentially risky down the road.
The first step in fixing these problems is visibility. You have to be able to plug into different data sources across your heterogeneous environment and bring that information into one unified view. Once you can visualize your data, you need to be able to quickly locate and classify your data either through pre-defined classification policies or manually built policies. Once your data is tagged, it’s time to get granular. You need robust filters that can help you quickly sort through data giving you the information you need to make decisions about what actions must – moving data, deleting data, etc. Without these steps, you’re open to risks like ransomware attacks or compliance with various regulations around the world.
Once companies move from a manually-driven process to automation, it’s no longer a treasure hunt. Your decision-making around what data is risky or what isn’t worth preserving becomes data-driven and informed. You can also be more proactive about identifying anomalous data that’s at risk of being accessed in non-malicious ways – e.g., by negligent employees.
As companies continue to rely on a mix of hybrid or multi-cloud environments, effective and efficient control over data becomes increasingly complex. While the appeal of a set it and forget it cloud strategy is tempting, understanding your role in the protection and management of your cloud-based data is the key to ensuring success in the face of regulations and ransomware.
To learn more, visit https://www.veritas.com/defy/eula.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.