As practically every organization shifts from managing their data in network-based data centers to storing it in the cloud, cloud data security policies are created to secure this data in a cloud environment. With more and more data migrating to the cloud, these policies must adapt to a wide range of data stores, locations, uses and environments – public and private clouds, hybrid infrastructures and multi-cloud environments.
Understandably, security teams within enterprises wish to check all the relevant boxes when implementing these security policies to ensure comprehensive coverage. In the process, however, they are playing into the most common grievance business leaders have against security practitioners – security restricts and inhibits innovation.
The following are the 6 leading cloud data security policy pitfalls security teams should look out for and avoid when defining and implementing cloud data security policies:
1. Manual documentation processes
Development teams leverage the benefits of data in the cloud to generate a growing amount of cloud data stores and tools, to keep up with innovation. They do so by trial-and-error processes, making it hard for security to keep up with the antiquated manual documentation of any new or significantly modified data store.
As security teams attempt to restrict these trial processes, developers are less likely to seek the most cutting-edge emerging technologies, thus preventing the organization from finding the best solutions for its needs. An even more concerning scenario is one in which development teams may circumvent security easily, by onboarding non-standard and non-sanctioned solutions as easily as swiping a credit card. Existing manual processes will only document what security is aware of, which is a growing challenge.
2. Losing track of data
Some security professionals may consider this first pitfall as irrelevant to their organization, as they allow data to be freely moved or modified across cloud environments without restrictions. While beneficial for business purposes, this approach ignores the exponential growth in data and its tendency to spread across data stores and environments, with little ability to locate where it resides. This lack of visibility and control will inevitably lead to loss of what may be sensitive, personal or customer data in the process. If data is the fuel of many of our business processes, then losing some of it means that you’re running low on gas.
3. Creating internal access boundaries
Innovative teams require access to data. Whether it’s data scientists who are creating new machine learning algorithms, threat researchers researching new trends, marketing or product management teams who need to understand customer behavior or other stakeholders – innovating without data is like trying to bake without an oven. Managing organizational access to data may be critical to ensure that it isn’t abused or lost but creating stringent access control policies and boundaries around data usage creates what are essentially data silos, once again restricting innovation.
Security teams should view these access policies as opportunities to support collaborative business innovation rather than obstruct it due to their fear of losing control over data. If access management is not highly automated, self-servicing and able to adapt quickly as needed, the only way to avoid impeding business process is to grant access broadly, putting the organization at risk.
4. Not storing enough data
Organizations that try to overly control both access and usage of data are not only reluctant to provide access provisions to existing data, but also restrict the storage of what they deem to be new “unnecessary” data if it does not have what they consider to be the proper justification. Again, such restrictive data security policies throw the baby out with the bath water.
Security teams must consider that new trends, best practices or innovative ideas that can benefit the organization may be “hiding” in data that they prohibit. If the right processes are in place to delete such data when needed, no such restriction is necessary. Organizations expect security teams to move away from the classic IT security obstructionist approach, as the modern CISO partners with the development teams to enable – not discourage – them.
5. Not using the right data storage technology
Data storage technologies may require specific proficiencies as every new piece of additional technology is added. Overflowing stacks of security solutions may cause operational mayhem and make it difficult to determine if the data stored within them is safe, leading security teams to forego adding new technologies in order to stick to what they know. This conservative approach may again hinder innovation, or worse – lead teams to use wrong methodologies and processes.
As data storage technologies continue to evolve alongside business use cases, security teams must keep up with their growth within the company. Tools that reliably give insight into the organization’s security posture are storage agnostic, providing scale and assurance that controls meet policies and standards.
6. Deleting data without reason
Removing data from cloud infrastructures as soon as possible has become a common practice for security teams that are increasingly concerned about losing track or control over their data. This is another short-sighted approach to innovation, as emerging technologies and methodologies may require such deleted data, and without it – organizations will remain behind.
Without proper confidence in the ability to control existing data without removing it – including ensuring that it does not pass the allowed retention period – security teams will continue to restrict progress. With the right tools, security teams will gain insight into the location and usage of data and will be able to make informed decisions about its retention.
Addressing these gaps and pitfalls requires finding the right balance between supporting rampant innovation without control or visibility and restricting it for a sense of security control and management. The concept that security and innovation cannot exist together is outdated and can be harmful for organizational security postures and for future business potential and success. Security guardrails and policies for data access and usage are critical for basic security hygiene, but without complementing them with a forward-thinking approach to leveraging this data, your business will quickly become irrelevant.
Contributing author: Liat Hayun, CEO, Eureka Security