Deter Data Breach and Protect Application  

Day by day more & more applications along with data move to the cloud.  On the other side cloud data breach hitting the headlines every day, and a research report says that 98% of organizations experienced a cloud data breach in the last 18 months and 67% of organizations experienced 3 or more cloud data breaches in the last 18 months.

At the same time, attraction from Cloud companies continues in the form of scalability, availability, acceptability, portability, and cost benefits of moving applications to public cloud environments are huge and which is true from the expenditure point of view, companies are moving to the cloud anyway without giving ample time to evaluate their confidential data and the impact of losing the same.

This article helps how to get rid of this situation for the companies who wish to vacate their data centers soon and to move it cloud and changing their model from CAPEX to OPEX at the earliest.

Detect The Confidential Data:

Using an automatic data scanning system to classify our data in our cloud storage with the help of below table and tag it as PII, PCI, HIPAA, Confidential Restricted document data, Confidential Restricted code data etc., This would help us to remember where and which type of data is stored in which Cloud.

Azure	AWS	GCP	IBM
File	Standard	Standard	Smart
Blog	Intelligent-Tiering	Nearline	Standard
Queue	Standard-IA	Coldline	Cold
Table	One Zone-IA	Archive	Vault

This would create an opportunity to extend our Enterprise DLP classification policies to our Cloud storage environment as well. 

Access Control System:

Upon detecting our confidential data, discover the available ways of its accessibility such as public links, extravagant internal access, enablement of 3^rd party access for suppliers, vendors etc.,

Deploy an access control system with Fraud detection and UEBA functionality that will diagnose and block risky user and/or system/service account access behavior such as several unsuccessful login tries, access from unfamiliar locations, and abnormal transfers or encryption action. Along with it bring up a protection system that can automate removal of risky access permissions and block its corresponding accounts.

Work closely with our COI security team to put a highly efficient system in place which will endlessly monitor access permissions and UEBA associated with any application that contains confidential data.

Ensuring the Configuration Vulnerabilities:

Many companies are not paying attention to their cloud configurations as they feel that those activities are unwanted just to reduce some hours and its associated cost, but without giving sufficient time for evaluating the configurations may carry the risks of misconfiguration and vulnerabilities.

Using a protection platform will help display the vulnerabilities and misconfigurations associated with the workload processes confidential data. We should prioritize the security posture of these workloads over less connected workloads without confidential data.  This will be key when we find that we cannot fix every risky configuration or vulnerability that pops up.

Nonstop CSPM with runtime:

A scanning tool with runtime compliance will help us to keep our security posture in a strong robust position. It should be a powerful tool for prioritizing security initiatives. Plus, if we have a consistently up-to-date report, we’ll already have the report we need when the compliance reporting cycle comes around.

Numerous tools to consider protecting our cloud environment and our sensitive data.  A CNAPP does DLP and data classification capabilities if our goal is to protect our sensitive and confidential data.  If it can use the same DLP policies that we are using across our enterprise which is even better.

If there is any CNAPP that functions in runtime with automated alerts and network controls if we want to keep our applications running even if they come under attack.  Deploy an agentless CSPM & CWPP system that presents our misconfigurations, vulnerabilities, and compliance within the context of our running environment and the sensitive data it contains.

Visibility over Microservices:

Understand how your application’s microservices are connected to one another. Keep a constant eye out for unusual network activity as well as the high-risk east-west flow of personal data. If rogue workloads or APIs appear, find them, and isolate them. You want to know if PCI data is moving to an unauthorized API or third-party service, or if it is leaving your PCI zone. When a DDoS attack occurs, you want to be able to recognize it and take action to stop it.

To track and manage east-west network traffic within your cloud, have your DevOps team implement a service mesh such as Istio with your Kubernetes environment. Set up cloud protection that integrates with your service mesh so that it can both notify you of unsafe traffic and swiftly block or redirect it to microsegment your environment in the event of an attack.