Cloud Transformation and Data Threats

Posted by HANDD on 4th July 2024

Cloud Cloud Security Cloud Transformation Data Protection Data Security

In this clip from our recent webinar ‘Data Security and Data Protection in 2024’, Sam Malkin talks about the challenges of securing data across hybrid architectures and multi-cloud deployments, and the importance of maintaining data security and privacy by design amidst rapid cloud vendor evolution. Sam discusses how organisations can effectively ensure alignment with data protection policies and risk profiles through strategic visibility solutions and informed decision-making.

View the clip and transcript below or watch the full webinar.

Is your data secure in 2024?

In today’s dynamic threat landscape, proactive Data Security and Data Protection measures are vital for safeguarding your organisation’s assets. With HANDD, you can strengthen your security posture, minimise upfront costs, and achieve your business objectives seamlessly.

Request a FREE 30 minute consultation to learn more about how HANDD can help you protect what matters most to your business.

Transcript:

I’m going to move on to cloud transformation and you’ll see some parallels with what we did in the cloud and what we’re faced with currently in terms of artificial intelligence.

We’ve been living with cloud computing for a couple of decades now, certainly most of my working life anyway.

And the question I’m no longer hearing or seeing people ask is not whether that’s IAS, PAS, SAS, is how do I get the best out of all three platform types along with my on-premise systems?

Every organisation that I talk to has a cloud posture, whether that’s cloud first or cloud is preferable or whatever it is, everyone apart from a select minority has some element of cloud in their organisation.

And the reality is that these hybrid architectures, multi-cloud deployments, the mix of SaaS paths, on-premise, data scattered across borders, different deployment types, that’s going to remain so for the foreseeable future.

And what our challenge is, is that we’re to, you know, secure the data across that mess.

There’s also an awful lot to get wrong when you move systems but also move data into the cloud.

You know, if you’re moving from something that you’ve understood and policed inside your network for years and years and years and are effectively putting that into in the hands of Amazon or Microsoft or Salesforce or whoever that vendor is.

They’re gonna keep certain elements of it safe for you, but you’re still going to have to secure it and configure it in such a way that is secure by design and delivers privacy by design.

These IaaS vendors, they change and add new features and capabilities from one day to the next.

So a bit like our race to police our artificial intelligence use, we’re finding it quite difficult to continue to safeguard data in the cloud, particularly when there’s new areas that people, developers, application owners, are kind of seeking out a shiny new toys with efficiencies that they’ve run and they’re putting data in them before we have the chance to evaluate them and understand the exposure and what that does for our risk profile.

It’s also really easy to get things wrong on new stuff. If you’re not yet familiar with the security mechanisms that a new cloud piece of technology might deliver, then you can very easily get it wrong.

I think the number of news stories that you might have seen around publicly accessible buckets or blogs or storage access like that is just numerous. But without knowing that those storage areas exist or what data is in those storage areas, then you don’t really know how much of an issue that might potentially be for you and your organisation.

So as I said, what’s happening now is that people are racing to adopt cloud technologies across the organisation and they’re not really asked or pausing to ask those data protection questions and how data protection should fit into that or might fit in that.

These people are not doing that on purpose. They’re just trying to get their day jobs done. They’re trying to adopt tools that are largely sanctioned.

But much like I said with artificial intelligence, they’re uploading data into areas that we’re not yet able to police.

And what I’m seeing is that we’re not performing due diligence around those platforms and asking the questions like, what might this mean if I enable this cloud workload, or how might this affect my data risk posture?

Does this have any ramifications for how I adhere to compliance or GDPR? Can I do a privacy impact assessment against it? How has this opened or expanded my risk profile or my data surface or actually my data attack surface?

And I think those are questions that probably would have been asked if the solution was still being delivered on premise, you know, and our hardware teams, our network teams, the people responsible for firewalls and stuff like that were involved on premise, then a lot of those questions would have been asked.

In order to get a handle on, you know, the cloud sprawl and how to kind of police it and the data inside it, we’re never going to prevent it, we’re never going to stop it, and there are a whole load of tools out there, you know, all of them beginning with C for cloud, a bunch of them up there on the screen in front of you.

But what you need to do is take what’s coming out of there and overlay that with something perhaps like a DSPM or something like that so that you can actually see what your cloud footprint looks like and rather than saying, no, you can’t use that thing, say, well, actually in the new Amazon contact lens or whatever, you know, we’ve got this data, Is this fit for purpose? Can we allow them to use that?

Can we develop an interface using that technology and enable it to be done safely by comparing what is in your cloud topology with what your data footprint looks like and what you believe that it should look like rather than what it does look like.

–End of Transcript–