Data Security for a Dynamic Cloud Environment - Beyond Basic Controls

Simply relying on encryption will not suffice. Use of data perimeters, confidential computing etc will be huge components of effective data security in a dynamic cloud environment.

Incase, this is your 1st Cloud Security Newsletter! You are in good company!You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn what’s new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI CyberSecurity Podcast every week.

If you would prefer to read this in your email, you can subscribe to the newsletter here.

Cloud Security Topic of the Week?

Data Security for a Dynamic Cloud Environment - Beyond Basic Controls

Welcome to this week's edition of the Cloud Security Newsletter!

This week, we're diving deep into data security in Cloud environments. With the growing use of AI among existing data projects organizations are now increasingly handling sensitive data across multiple clouds and regions. Traditional security controls of just doing data encryption is no longer sufficient for such a distributed data security use case. AWS infact recently also announced Resource Control Policy (RCPs) to enable single point of controlling external access for resource using data perimeters.

In this week’s issue our featured experts from Cloud Security Podcast, share their practical insights on implementing comprehensive data security while enabling business agility.

Featured Experts This Week

• Prahathess Rengasamy (Block) - Cloud & Kubernetes Security Expert
• John Burgess (Stripe) - Cloud Security Engineer
• Tyler Warren (USAA) - Security Engineer
• Steve Orrin (Intel) - Federal Chief Technology Officer

Definitions and Core Concepts

Data Security Components

????Data Protection Triad:

• Data at Rest: Information stored in databases, storage systems, or files
• Data in Transit: Information moving between systems or over networks
• Data in Use: Information being processed or accessed in memory

??? Data Perimeter Constructs

• Data Perimeter: Creating logical data security boundaries with a cloud environment (e.g AWS Organization) to manage set of trust relationships between cloud resources and customer endpoints. John Burgess provides a clear definition: "The AWS data perimeter is that set of controls that lets you essentially control access through the boundary of your AWS organization. You're afraid of your principles being used to exfiltrate data. You want to make sure that they're only interacting with resources that you trust."
• Zones of Trust: Areas within your organization where specific data security controls are applied. As Tyler Warren explains: "You probably might think about internal zones of trust. So production data versus non production data... There's PCI requirements. There's other regulatory requirements that can drive those discussions."

??? Data Security Controls

• Ground Truth Dataset: Prahathess introduces this concept: "You work with them, you build this ground truth dataset and you have this ground truth dataset separately and you get an information about CSPM... you layer the foundational ground truth dataset that you created on to the entire data set."
• Data Sovereignty: Ensuring data never leaves a certain region. Steve Orrin defines this as: "German citizen data has to stay in Germany. Australian citizen data has to stay in Australia. Those are requirements that don't really fit well with the whole global cloud idea."

??? Data Security Tooling

• CSPM (Cloud Security Posture Management): Tools that help identify misconfigurations and security risks in cloud environments.
• Confidential Computing: Steve Orrin explains this as: "A physical hardware security feature that will encrypt and control memory for an application while it's running the application... while your application is running, its memory is being encrypted by the CPU and access to the memory is being controlled and locked down by the CPU."

??? Data Access Patterns

• Cross-Account Access: Data flows between different AWS accounts within or outside an organization.
• Shared Services: Set of Services that are shared across the entire organization.

??? Security Implementation Concepts

• Progressive Rollout: Tyler Warren's approach: “Rolling out progressively throughout your environments... allowed bake in time, like anywhere from days to weeks."
• Attestation: A process of verifying and proving that a system or environment meets specific security requirements particularly common in public sector organizations. Steve Orrin explains:"When you put your VM into a confidential computing service container... the hardware will attest... will basically sign and measure that container and test to you as the relying party."

Our Insights from These Practitioners

1. Data Security Requires Multiple Protection Layers

Steve Orrin outlines the three critical aspects of data security that organizations need to address: "If you look at data security, there's sort of what we call the three legs to that stool - there's data at rest, which is typically full disk encryption file encryption... there's data in transit, which is your TLS sessions... and data in use - how do I protect data while it's being transacted?"

Organizations should:

• Implement encryption at rest for all storage services
• Ensure secure transit channels between services
• Consider “Confidential Computing” for data-in-use protection
• Layer data security controls to protect data throughout its lifecycle

2. Data Access Patterns Should Drive Perimeter Design

John Burgess highlights the importance of understanding data access patterns: "Identifying those access patterns and what data is crossing those zones of trust within your environment... is probably the first step before you start crafting any automation or any policies. It's also the hardest step, given that there is essentially a lack of telemetry available out of the box to you."

Key Activities:

• Map data flows between different trust zones across your entire cloud environment
• Identify shared data layers and their individual access requirements
• Document cross-account data access requirements to understand trusted data access patterns
• Monitor and analyze data access patterns for changes to trust zones and their data flow access requirements

3. Implement Strong Controls for Shared Data Services

Prahathess shares insights about securing shared data layers: "You want to identify the crown jewel right away... Look at where they're spending the money. Obviously equal amount of money in every account. That'd be very weird. It's going to be like one or two accounts where they're spending like a million dollars or 100,000 dollars like on something. And that means that you can use that as a proxy metric to assign importance."

Implementation Strategies:

• Identify and classify if there is a shared data services across the cloud environments
• Apply appropriate controls based on data sensitivity for environments with critical workload
• Use cost metrics as a proxy for data importance in a cloud environment
• Define & Implement strict access controls for shared services

5. Consider Data Sovereignty in Multi-Cloud Environments

Steve Orrin emphasizes the importance of data sovereignty: "Data sovereignty is a key thing... German citizen data has to stay in Germany. Australian citizen data has to stay in Australia. Those are requirements that don't really fit well with the whole global cloud idea."

Key Considerations:

• Implement geolocation-based controls using data perimeters e.g AWS Data Perimeter
• Use attestation mechanisms for data location verification
• Consider confidential computing for cross-border scenarios
• Document and enforce data residency requirements on resources e.g AWS SCPs, RCPs

6. Use Data Insights to Drive Better Security Controls

Prahathess emphasizes the importance of using data insights to implement effective controls: "The general is policy. And we were sending alerts about our policies to everyone. And for a good chunk of the teams, the alerts were meaningless because that was a standard operating procedure... As a central security team, not like an embedded one, you tend to miss out on that context."

Practical Implementation Steps:

• Collect data from multiple sources (CSPM, cloud-native tools, asset inventory)
• Build ground truth datasets per business unit
• Normalize data to identify meaningful patterns
• Use insights to create targeted security controls

6. Automate Data Security Controls

Tyler Warren emphasizes the importance of automation in scaling data security: "If your only way to scale as your security organization is to add headcount, I think you're setting yourself up for failure... The mantra is do more with less. And I think the only way to even make a dent is to use automation."

Automation Strategies:

• Implement automated policy enforcement
• Use Infrastructure as Code for security controls
• Automate compliance checking and reporting
• Build automated remediation workflows

This comprehensive overview should help you implement robust data security controls in your cloud environments. Next week, we'll explore another critical aspect of cloud security. Stay tuned!

???Related Resources

• AWS Data Perimeter Security Whitepaper
• NIST IR 7904: Trusted Geolocation in the Cloud
• AWS Organizations Best Practices

???Related Podcast Episodes

We would love to hear from you?? for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community??

Peace!

Shilpi Bhattacharjee

Share the newsletter

Was this forwarded to you? You can Sign up here, to join our growing readership.

Want to sponsor the next newsletter edition! Lets make it happen

Have you joined our FREE Monthly?Cloud Security Bootcamp yet?

checkout our sister podcast?AI Cybersecurity Podcast