In 2022, 81% of organizations reported experiencing a cloud-related security incident over the last 12 months, with almost half (45%) suffering at least four incidents.

Despite the security risks, organizations continue to deploy and invest in more cloud infrastructure because of the affordability and scalability it offers. As organizations move more data to the cloud, it’s essential they understand persistent cloud security challenges and how best to address them. 

Below we’ll cover what cloud data security is, why it’s important, and the most common challenges confronting organizations. Then we’ll look at best practices to help protect your organization from serious cloud security incidents.

What is cloud data security?

Cloud data security refers to the efforts made to protect an organization’s data in the cloud from loss, leakage, and/or misuse. 

This includes data at rest and in transit, as well as data that is managed internally by the organization and externally by a third party, like a cloud service provider.

A cloud data security strategy aims to:

• Secure data storage across networks, applications, and cloud environments
• Provide complete visibility into changes in the cloud environment
• Control access permissions to data for users, endpoint devices, and software
• Identify and mitigate the evolving risks of cloud deployments
• Define data security policies

How secure is your data in the cloud?

82% of breaches involved data stored in the cloud, according to IBM’s 2023 Cost of a Data Breach Report.

However, cloud storage is no more or less secure than a physical server or data center. It is just that this data must be protected against the unique risks and security threats in a cloud-native environment.

The issue is that many companies that are migrating sensitive or critical data to the cloud rely on their existing security strategy and traditional tools. To protect this data, companies must update their strategy to meet the security requirements of the cloud environment. 

Another issue is that organizations rely on the cloud provider to take care of all security functions. This is a mistake. Cloud data security is a shared responsibility between the cloud provider and customer.

In most shared responsibility models, the provider is responsible for the underlying hardware while the customer is responsible for the infrastructure and application layer. For example, if you are storing data in AWS Cloud, AWS is responsible for security of the infrastructure that runs all of the services in the AWS Cloud. The customer is responsible for the secure configurations of the cloud services in use as well as any customer data. 

However, this model depends on the cloud service provider. We advise asking your vendor for a Customer Responsibility Matrix (CRM), which documents which security controls and components your organization is responsible for and which the vendor is responsible for.

Why cloud data security is important

Companies are not only collecting more data than ever before — they’re also storing more of it in the cloud and often in multiple environments, including public, private, and hybrid clouds and SaaS applications.  

This presents challenges for protecting and securing their business, financial, and customer data. Challenges include:

• Locating their data 
• Having visibility into who is accessing their data, with what devices, and for what purpose 
• Knowing how cloud providers are storing and securing their data  
• Mitigating the risk of security breaches, data loss, and malware

Companies must also comply with data protection and privacy laws and regulations, like GDPR, CCPA, and HIPAA. Doing so can be difficult for companies that store data in multiple cloud environments because they must consistently implement security controls and document compliance across these environments.

Organizations that fail to address these challenges are more likely to experience security incidents, which can result in serious repercussions. An incident may result in fines for failed audits and compliance violations, reputational damage, a loss of business due to system downtime, and more.

Take Capital One’s 2019 data breach that affected over 100 million people, for example. Due to numerous weaknesses in its management of the cloud environment, among other reasons, Capital One was fined $80 million by the Office of the Comptroller of the Currency.

A robust cloud data security strategy can help address all these challenges and avoid cloud security incidents, including data breaches, leaks, compliance violations, and failed audits.

Cloud data security challenges

More than half (51%) of security decision makers surveyed by Venafi said security risks are higher in the cloud than on-premises, citing several issues that contribute to those risks.

So while cloud computing offers a wide range of benefits — cost-effectiveness, backup and recovery of data, and scalability — you must overcome the challenges of securing data in cloud computing to reap those benefits.

Let’s take a closer look at these challenges below.

Cloud misconfigurations

Cloud misconfigurations are the primary risk for organizations storing data in the cloud. Attackers can use automation to detect misconfigurations they can exploit in order to gain access to your cloud environment.

In a survey by Fugue, 92% of IT professionals said they were worried that their organization was vulnerable to a major data breach related to cloud misconfiguration. That same survey revealed that 36% of organizations surveyed were experiencing 100 or more cloud misconfigurations per day. 

Causes of cloud misconfigurations include:

• lack of awareness of cloud security and policies
• lack of adequate controls and oversight
• too many cloud APIs and interfaces to adequately govern
• negligent insider behavior
• increase in processing errors

Runtime security

In the study by Venafi, the majority of respondents (34%) reported that security incidents during runtime were the most common cloud-related security incidents they experienced.

These incidents are caused by attacks commonly launched through zero-day vulnerabilities, poor system configuration, and known vulnerabilities at runtime.

Organizations are particularly vulnerable to these attacks because the DevOps team, which is often already undermanned and overworked, has to balance remediating a vulnerability or misconfiguration with meeting the needs of the software delivery lifecycle. That means that DevOps teams often don’t know about the vulnerability or misconfiguration, or know about it and don’t have time to fix it before containers or workloads have been deployed.

Unauthorized access

In the study by Venafi, 33% of respondents said the most common cloud-related security incidents they experienced were caused by unauthorized data access. This underscores the importance — and challenge — of access control in the cloud.

Using a multi-cloud or hybrid architecture means your data is scattered across multiple environments with varying levels of visibility and access control. This makes it even more challenging to know if the right users have the right access to the right data.

Organizations will have to use a variety of authentication methods to control access to information stored on the cloud, including passwords, PINs, and multi-factor authentication as well as systems that can restrict access by IP address, browser, device, geo-location, specified time periods, or other factors.

Major vulnerabilities that have not been remediated

24% of respondents in the study by Venafi said the most common cloud-related security incidents they experienced were caused by major vulnerabilities that had not been remediated.

As organizations move data into the cloud, they are challenged with extending the scope of their vulnerability management program to include multi-cloud and hybrid environments so they can identify, analyze, and manage vulnerabilities within them.

Data leaks and losses

Cloud data leaks were among the most common cloud security incidents in the past year, with 26% of organizations experiencing a data leak, according to Snyk’s 2022 State of Cloud Security Report.

Data leaks and losses could be caused by a range of factors, including:

• viruses or malware
• software corruption
• human error
• hackers or insiders that purposely delete or leak information

Lack of visibility into user activity

To keep data secure in the cloud, you need visibility into which applications are being accessed, by whom, and what they’re doing inside those applications. This becomes more difficult when applications are housed on third-party infrastructure. 

A lack of visibility into user activity in the cloud can hinder an organization’s risk management and its ability to respond to incidents. This is why logging and monitoring of your system and its users is critical.

Data security policy violations

Violations of data security policies can compromise the security of data stored in the cloud and lead to incidents like data breaches. These violations can occur due to human error or malicious intent.

For example, an employee might mistakenly move or modify data in the cloud environment. As a result, other employees may not be able to find that data or it could get into the wrong hands. This is just one example of how human error can lead to data loss. 

In Snyk’s 2022 State of Cloud Security Report, 28% of survey respondents cited a lack of awareness of cloud security policies as an underlying cause of cloud security failures, making it the top-cited cause.

Unsecured APIs

Cloud providers make APIs available to engineers so they can build and configure their cloud environments. This collection of APIs makes up the cloud control plane. If improperly secured, these APIs can increase the cloud attack surface and make you more vulnerable to data breaches. 

Benefits of cloud data security

Organizations that are able to overcome these challenges and implement a robust cloud data security strategy are poised to reap major benefits, including:

• Greater visibility over your data: Strong cloud data security measures enable you to have and maintain greater visibility over your data. You should know what assets you have, where they live, who is able to access them, and how they are being used. This visibility should make it easier and faster for you to perform tasks like implementing a disaster recovery plan.
• Enhanced security of user workstations: A common cyberattack method is to target specific users on a network via email and websites and gain unauthorized access to the network through their compromised workstations. In a cloud environment though, user workstations do not have direct access to the corporate network. So even if a workstation is compromised, the attacker cannot can access to the network. This is an inherent security advantage of a cloud environment.
• Reduced operational costs: Implementing a cloud data security strategy that leverages a third-party provider’s capabilities can lead to lower operational costs. Cloud platforms like AWS, Azure, and Google Cloud offer built-in protection and encryption by default, have 24x7 security teams and a full security operations center to continuously monitor their infrastructure, meet rigorous compliance requirements, and deploy a range of advanced security tools, including identity and access controls, continuous monitoring, threat detection, network and application protection, multiple encryption layers, automated incident response and recovery, and more. Building and monitoring a secure-by-design infrastructure, having a 24x7 security team and operations center, and deploying these security tools on your own would likely be more resource-intensive and costly.
• Cloud compliance: Having a robust cloud data security strategy in place can help you know where data is stored, who can access it, how it’s processed, and how it’s protected. This can help your organization consistently implement security controls and document compliance across these cloud environments and meet strict regulatory and data privacy requirements.

Cloud data security best practices

Wondering how you can improve your cloud security? We offer seven best practices below. 

1. Understand your cloud environment

Your ability to secure data in cloud environments hinges on your understanding of those environments. You must be able to answer the following questions:

• Is your cloud environment public, private, or hybrid?
• How is your infrastructure built and how does traffic flow through it? 
• What data do you have in the cloud and where is it located?
• Which data is exposed, how is it exposed, and what are the potential risks?     
• Which applications are being accessed and by whom?
• How are applications accessed? Do you have identification and authentication controls implemented?
• How are people using data in those applications?
• Which data do you need to protect and at what level?

2. Comply with regulations and guidelines

Meeting industry and government regulations across your entire cloud infrastructure is a challenge. But having the proper security policies and standards in place will not only help you achieve compliance across cloud environments — it will also help keep your data safe. 

The first step in achieving cloud compliance is identifying which regulations and industry standards apply to your organization. 

Common cloud security frameworks include:

• ISO 27001
• SOC 2®
• HIPAA
• PCI DSS
• FedRAMP
• Cloud Controls Matrix

3. Take a policy-as-code approach

Security policies that exist solely in PDF documents are less effective than policy that exists in code. This approach to policy management, known as policy-as-code (PaC), used code-based automation instead of manual processes to create, update, and share policies.

With PaC, tools and applications can automatically validate code and configurations so policies are implemented and enforced consistently across the organization. It can also be used to check other code and environments in the cloud for unwanted conditions that could result in an exploitation or compliance violation. 

4. Encrypt sensitive data

Cloud encryption is the process of converting plain text into cipher text using mathematical algorithms to make the data unreadable to unauthorized users. Only users with the correct encryption keys will be able to convert the cipher text back into plain text. Users who are granted the decryption keys must have their identity established and verified through some form of multi-factor authentication.

This is a simple but effective method for protecting sensitive data in the cloud, even in the case of a data breach. It also protects data in transit, ie. data moving to and from cloud-based applications.

5. Create identity and access management policies 

Identity and access management (IAM) policies are critical to a cloud data security strategy. IAM policies can be applied to users and groups to authorize what they can access or to cloud resources to authorize what can be done with them. Together, these policies verify that only the right people with the right privileges are accessing data stored in the cloud and using it in the right way. 

6. Educate employees

Organizations that store data in the cloud must provide employee training that covers the fundamentals of cybersecurity and their data security policies. Awareness of security best practices and policies, like using multi-factor authentication, can help create a secure cloud environment. 

This training should also cover shadow IT, the use of information technology systems, devices, software, applications, and services without explicit IT department approval. While shadow IT can seem harmless — like sending work documents to a personal email to work from home — it can lead to lost data, an increased attack surface, and non-compliance. 

Organizations should consider offering basic training to all employees, and high-level training for more advanced users and administrators who are directly involved in the implementation or management of the organization’s cloud infrastructure. 

7. Monitor and log user activity

Setting up a monitoring and logging system in your cloud infrastructure can help your security team identify how people are accessing and using data in the cloud environment. This can help identify and alert you to any employees who are violating data security policies by uploading sensitive data to public clouds or using non-approved services and applications, for example.

It can also make remediation easier. If a hacker gains access to the cloud environment and makes any changes to its settings or data, you can see exactly what changes have been made and revert them. 

How Secureframe can help you improve your cloud security

You don’t have to tackle the challenge of securing data in the cloud alone. 

Secureframe can help by connecting with your cloud infrastructure and business apps, including AWS, Azure, and Google Cloud. We scan your cloud providers and deliver risk reports along with tailored step-by-step remediation workflows. 

Schedule a demo today to discover how Secureframe can help you optimize your cloud security posture.