Safer data and how to protect it in a multi-cloud environment
By John Michael
Multi-cloud has grown considerably in popularity for many businesses due to its ability to increase agility whilst minimising vendor lock-in, improving disaster recovery and boosting application performance, all while streamlining costs. However, data protection issues are of increasing concern. This is because multi-cloud in the enterprise often comes about organically to meet evolving requirements, so is not always planned. When business departments create their own complicated silos of data, this decreases visibility and can impact upon compliance. But what is the solution?
Encrypting confidential data
A multi-cloud architecture can make data migration easy, but managing access to the data and keeping it confidential can be challenging. Regardless of the mode of transfer or method of storage, information remains a valuable commodity that is vulnerable at all possible points of connectivity. The most effective methods to address such vulnerability is to consider secure encryption.
Encrypting data both in transit and at rest is critical. Data should preferably be encrypted with a FIPS certified, randomly generated, AES 256-bit encrypted encryption key to be ultra-secure. Confidential information stored locally on a computer or hard drive, sent via email or file-sharing service, or shared via data transfer in the cloud should equally be securely encrypted. Taking such an approach guarantees ongoing protection, keeping data confidential and giving IT leaders peace of mind.
Centralised remote management
As the use of multi-cloud environments means that sensitive data is stored in silos and transferred across numerous servers, it’s important for security managers to gain a holistic view as to which cloud providers hold which data, where that data is located and who holds access permissions within the organisation. This will enable geo-fencing and time fencing restrictions to be set, filenames to be appropriately encrypted and remote access to be enabled or disabled depending on requirement.
Key management for encrypted information is also important. Authorised users can be given a copy of a physical encrypted encryption key; a randomly generated encryption key stored within a USB module to allow ultra-secure and real-time collaboration in the cloud. Having a key management system in place provides greater control of encryption keys when using a multi-cloud solution, helping to facilitate a more centralised administration and management approach to data security.
Businesses need to have clear processes in place that all employees follow to uphold adherence to data protection regulations, regardless of where they choose to store the data. Incorporating multi-factor authentication will help in relation to data protection governance and is an important step in standardising policies, procedures and processes across multiple cloud providers.
If a malicious threat actor obtains a user’s credentials and compromises an account, the breach is likely to remain unnoticed by the cloud service provider who will not be able to tell the difference between a legitimate user and an attacker. Using an encryption key that is kept away from the cloud increases the number of security measures from just one level of authentication - the cloud account login - to as many as five-factors of authentication. The encryption key should itself be encrypted within an ultra-secure Common Criteria EAL5+ secure microprocessor along with a PIN authenticated code.
As more businesses move toward a multi-cloud setup, security leaders should be looking to follow such recommendations to bring peace of mind to the enterprise and, ultimately, result in safer data.