How To Avoid Data Breaches In The Cloud

DZone 's Guide to

How To Avoid Data Breaches In The Cloud

There were 3,800 cloud breeches this year alone. Will you be next?

· Cloud Zone ·
Free Resource

Image title

Keeping a weather eye on your cloud security.

The first half of 2019 saw an unprecedented 3,800 publicly reported data breaches, with a total of 4.1 billion records compromised. These are the kind of numbers that can give sleepless nights to anybody who may be affected by a data breach — a businessman, a CEO, a cloud service provider, governments, anybody.

Data Loss Prevention — Your Responsibility

In the wake of frightful data security breaches that have ravaged all kinds of organizations, it’s every business’ responsibility to understand and master the science of data loss prevention (DLP).

You may also enjoy:  What You Need to Know About Security in the Cloud

DLP is the sum total of anything you do to detect and prevent data breaches, unwanted deletion of data, and extraction of your data by unauthorized endpoints. A good DLP policy and solution is the way forward for every organization that deals with customer data and are subject to data protection regulations.

Because public and private clouds are now the "way of life" for modern businesses, you need to understand how to implement data loss prevention practices in the context of the cloud. Here’s the lowdown on it.

Encryption — For Data At Rest and In Transit

When you send data from a server to a client, you want it to go only to the client, and not in any other hands. Encryption ensures that even if someone is able to intercept data flowing across the cloud infrastructure, it’s in a form that makes it meaningless for the data thieves.

How to do that? The answer — encryption, in which a key is used to garble data in a way such that only someone with the key can then restructure the data and understand its true meaning. Strong encryption is critical for the security of any cloud-based service that sends or receives data.

While encryption of "at rest" data (that is the data stored on local discs or in physical storage) is common, you need to look for encryption of data "in transit." This is the state of the data when it’s being transferred over a network. TLS/SSL connections are a must to ensure encryption of in-flight data, along with IPsec VPN tunnels.

Monitor Network Activity Like A Hawk

Of course, this isn't a manual task. You need tools to enable advanced network monitoring.

Now here’s the catch. Most cloud service providers will tell you that they implement strong network monitoring processes on their side. While this is true, you need to ensure you remain in control.

For this, you need intruder detection tools, which can keep a strong watch on network activity across applications in your company’s cloud ecosystem. Your own network monitoring system will "learn" with time and be able to point out suspicious activity much better than that of the cloud service providers.

Beware of monitoring your network with blind spots. If your cloud ecosystem is too complex, you may not have access to all the cloud layers, which can create blind spots in your network. Potential security flaws and suspicious activities may go unreported and hence unresponded. This makes it necessary for you to use a reliable data loss prevention solution that can promise network monitoring without any blind spots.

The Power of API-based CASBs to Prevent Data Breach

Cloud access security brokers (CASBs) are the core of public cloud security for leading organizations. Think of CASBs as the enablers of state of the art public cloud security, with complete control in your hands.

CASBs help secure every aspect of data storage and processing in on-premise and public clouds. API CASBs can integrate with cloud service providers’ open APIs, which makes them a part of the public cloud instead of an add on.

Here’s a quick look at how they help you prevent data breaches in the cloud.

  • Implements standardized security measures across the entire spectrum of device types and source network
  • Machine learning helps strengthen policy enforcement with time, reducing false alerts all the while
  • Enabling detection and scrubbing of personal/sensitive information, implementing state of the art threat control
  • Monitoring of privileges account accesses and comparing the usage against baselines.
  • Scanning third party apps to ensure ransomware and malware are kept at bay

Microsegmentation — It’s More Than A Buzzword

As networking becomes more and more prevalent, microsegmentation’s potential as an enabler of data protection in the cloud continues to surge. Microsegmentation is an approach of networking wherein only a bare minimum necessary nodes of the network are brought in use for communications.

This approach obviously reduces the threat surface area for organizations using a lot of cloud solutions. With an SDN product, you can configure the network such that it’s scope is limited to authorized end users and devices. However, if network communication is unmonitored and open to all public cloud and on-premise nodes, the threat of data security breach heightens.

Another concept, related to micro-segmentation, is Just Enough Administration (JEA). In a world of hybrid infrastructures, organizations can ill-afford the convenience of allowing liberal access to data for end-users. Instead, you need to find ways to ensure that access privileges are restricted in terms of:

  • Those who need them
  • The timeframe for which they’re needed
  • The level of access (for example, view-only, or view and edit) necessary


The pursuit of absolute security in the cloud is a journey. The methods described in this guide are the core of your cloud data security. Use the right tools, right protocols, right methods, and right people to make sure your data remains secure in the cloud.

Further Reading

Preventing Data Breaches With App-Centric Security

Encryption, Part 1: Symmetric Encryption

cloud, cloud security, data breaches, data breech, microsegmentation

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}