For stronger public cloud data security, use defense in depth

The amount of cloud-resident data is increasing -- and so are the number of challenges to sufficiently secure it, especially within multi-cloud environments.

Public cloud use has been pervasive for years, and digital transformation initiatives and remote work have further accelerated the migration of data assets to cloud stores.

TechTarget's Enterprise Strategy Group April 2023 research "The Cloud Data Security Imperative" validated our conventional wisdom: More than a quarter of respondents (26%) currently store at least 40% of their corporate data in the public cloud -- and this will double over the next two years to 58% storing at least 40% of their data in the public cloud.

Using public cloud-resident data and public cloud services has become more critical to conducting business.

To gain business advantage, organizations are using new and powerful business analytics and machine learning capabilities to extract more value from their data. These capabilities are typically supported by data lakes, data warehouses and data lakehouses that aggregate data from a variety of sources. Because business data analytics provide the most utility when analyzing sensitive information, it's no surprise the vast majority (86%) of organizations reported that these stores house sensitive data.

Just as with analytics, the cloud provides the greatest value when using sensitive data. Thus the amount of classified as sensitive cloud-resident data is also growing. One in six (16%) organizations said more than 40% of their SaaS-resident data today is sensitive. This is expected to nearly triple to 45% of organizations in 24 months. Similar results were found for IaaS and PaaS data.

Public cloud security is not keeping pace with requirements

The use of disparate controls puts cloud-resident data at risk of compromise and loss, respondents agree. Thirty-three percent of respondents said they believe more than 30% of their organization's SaaS-resident sensitive data is insufficiently secured. The greater problem is that more than half (59%) said they believe more than 30% of their organization's sensitive data residing in IaaS and PaaS environments is insufficiently secured.

Multi-cloud strategies are now the norm; more than three-quarters of organizations store sensitive data in more than one IaaS or PaaS platform. With each platform having its own native policies and controls, ensuring complete security of all cloud-resident sensitive data is challenging.

Cloud data loss is a common occurrence

Organizations recognize that not all their cloud-resident sensitive data is properly secured, but knowing for sure where and when data loss has occurred is a more critical challenge. Within the last 12 months, 39% of respondents said they know they experienced data loss. More concerning is that 20% of respondents suspect they have lost data but do not definitively know.

In addition, these data-loss incidents -- known or suspected -- are not one-time occurrences. Eighty-four percent of respondents indicated they suffered multiple data-loss events in the past 12 months, with more than one-quarter (28%) reporting four or more data-loss events.

Data losses aren't limited to any one type of data store. IaaS and PaaS platforms support a plethora of block, file, object, data warehouse, data lake and database storage options. With an extensive attack surface, it's no surprise organizations lose data from the various storage options within IaaS and PaaS environments. Yet 42% of respondents indicated the most common data loss occurs in SaaS applications. These losses could be attributed to organizational confusion about the shared responsibility security model and how to best secure SaaS-resident sensitive data.

Securing public cloud data

Data loss frequency, combined with the multiple types of data stores where data loss can occur and the lack of confidence in figuring out that an actual loss occurred, implies organizations do not possess the tools and have not developed the expertise to comprehensively prevent all types of data loss.

The tools and expertise used to secure data on premises do not apply when securing SaaS-, IaaS- and PaaS-resident data. Cloud data security challenges become more complex as organizations deal with different threat models, dynamic attack surfaces, amorphous perimeters and disparate security tools from each cloud service provider.

Point tools, either cloud-native or third-party, can address specific causes of data loss. Relying on a few tools does not necessarily close all security gaps, however. Organizations should be wary of developing overconfidence in individual tools and must understand the capabilities and limitations of data security controls. Employing a defense-in-depth strategy using multiple tools and capabilities to maximize discovery, classification and security of all cloud-resident data helps in minimizing security gaps.

While implementing a defense-in-depth strategy, organizations must understand and account for the aspects of data security they must address as part of the shared responsibility model. This especially applies to SaaS environments, where organizations unfortunately and mistakenly often assume that SaaS providers adequately secure data for all their customers.

Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.

Next Steps

5 PaaS security best practices to safeguard the app layer

Dig Deeper on Data security and privacy