Securing data in a hybrid compute environment
- By George Kamis
- Jul 08, 2019
The growth in hybrid cloud compute models -- where some applications are kept on-premises and others in the cloud -- have increased concerns surrounding data protection. Data must now be protected whether it is stored and processed locally or in the cloud.
However, agencies using cloud providers for infrastructure as a service must remember that IaaS vendors are only responsible for the hosted environment. They’re primarily concerned with reinforcing their infrastructure and separation between tenants. They’re not necessarily monitoring the data clients store and process, nor how that data leaves the local environment.
Thus, despite how things have changed with the adoption of cloud computing, security should still start within the government agency. Rather than relying on cloud providers to keep information safe, agencies should proactively take measures to protect data while it leaves the workplace and moves into the hybrid cloud environment.
Here are two strategies that will help achieve this objective.
1. Gain visibility into in-flight data as it leaves the workplace. When a user signs onto a cloud-based application through a computer or mobile device, data passes between the cloud provider and the agency’s network. When data is in-flight to the provider it can be easy to lose visibility into what the data is doing and who is using it. At this point, agencies have no control or visibility over the data, making the data itself -- and, by extension, the agency and its users -- highly vulnerable.
This problem can be addressed through inline proxy analysis. Proxy analysis gives IT teams visibility into everything that’s going on between the end-user who submits a request through the application and the programs running within the cloud service fulfilling the request. They can monitor the data transaction and even perform in-flight blocking in real time if necessary.
This is also an ideal option for today's mobile-enabled world. With a proxy approach, a user accesses an application on a device, logs in and gets authenticated. The request is redirected to a reverse proxy URL that monitors all communications between the user’s device and the cloud service, providing a clear and unfettered view of the transfer of data from the cloud provider to the user.
2. Control users’ access to data. Monitoring the data is only part of the security equation. The other factor is the people who are using the applications and accessing data.
Agencies have sometimes thousands of employees accessing different types of information. Some users have access to highly sensitive data, which places them at an elevated risk level. These high-risk individuals may be prime targets for hackers or could cause a serious insider threat through a simple mistake. Others have access to less-sensitive data. These low-risk employees don’t access data very often, and when they do, the information isn’t considered very sensitive. The medium-risk individuals fall somewhere in between. They have close proximity to some sensitive information but access that data infrequently.
When users request information from a cloud service, it’s important that IT teams know whether they're high-risk or low-risk employees so they can restrict access to different types of information. But how do IT teams know who’s at a higher risk level?
Risk levels can easily be determined through behavioral analysis. With this method, users are assigned a unique risk score based on their job function and a baseline analysis of their normal behavior patterns when they interact with agency data.
The higher the score, the bigger the risk. The score can change as employee responsibilities evolve.
Whenever a deviation from the established behavioral baseline is detected, the system sends an alert. Even a slight change in a user's behavior could indicate a potential breach, prompting requiring tighter access control or revoked permissions.
The beauty of this approach is that it targets individuals, not the entire agency. Everyone can continue with their normal routines without being locked out of the applications and information needed to perform their jobs.
Gain the knowledge for better control and security
If there’s one word that encapsulates the drive for better control and security in a world that has embraced the cloud, it’s “knowledge.” Agencies need better knowledge of what is happening with data as it passes between the cloud provider and users -- but they also need more knowledge about their users. How do they normally interact with data? What type of data do they have access to? What are they using the data for? Should they have access to the data that they are pulling down from the agency’s cloud providers?
Gaining a better understanding and increasing visibility into data and user behavior patterns will help answer these questions. Agencies will be able to create more effective, sound and targeted security policies while also getting control over their data, wherever it may be.
George Kamis is CTO for global governments and critical infrastructure at Forcepoint.