Protecting data stored in the cloud from unauthorized access is a headache for most businesses. Although some businesses have developed cloud data access governance policies to control who or what can access data stored in the cloud, enforcing compliance with these policies can be complicated and time-consuming.
Various solutions exist to protect data stored in the cloud (i.e. IAM best practices, encryption, continuous verification, etc.), and the majority of businesses take advantage of some or all of these solutions to enhance data security. While many businesses establish cloud data access governance policies to formalize the use of these data protection solutions, the decentralized nature of the cloud often makes it difficult to ensure their teams adhere to these policies.
The difficulty in enforcing cloud data access governance policies is further complicated by a lack of visibility in the cloud. Due to cloud service providers’ concerns about privacy and security in shared-tenancy environments, it is not easy to control what goes on beneath the level of abstraction. While cloud service providers offer agent-based monitoring solutions, these are most often reactive solutions rather than proactive solutions.
The difference between reactive and proactive monitoring solutions
Depending on how they are configured, reactive monitoring solutions notify you when an event has occurred and/or when an issue has been identified that may cause an event to occur. For example, a reactive monitoring solution might notify you when an IAM user is not assigned to a group or when multi-factor authentication has been disabled on a root account. In many cases, reactive monitoring solutions can be useful. However, the volume of notifications can overwhelm IT security teams.
To relieve the volume of notifications, proactive monitoring solutions can be configured to initiate a function when an event occurs or to prevent an event from occurring. Examples of proactive monitoring include revoking IAM user access until the user is assigned to a group, or enabling multi factor authentication for a root account. In this respect, proactive monitoring helps businesses evolve from responding after an event has occurred to identifying and remediating the root causes of cloud data access risks before an event occurs.
Using automation to proactively simplify cloud data access governance
Proactive monitoring is driven by policy-driven automation, through which an organization can configure customized rules for the environment to initiate specific functions when specific policies are violated. Examples include:
- If any object storage volume with the tag “Function:PII” is unencrypted, encrypt the volume.
- If the (for example) CloudTrail service is not enabled for any resource, enable the service.
- If an account receives a sign-in attempt from an unrecognized IP address, revoke user access.
- If a Virtual Machine has unauthorized open ports, terminate the Virtual Machine.
Policies can be applied universally, or by business unit, project, team, or individual depending on the business’s requirements. It is also possible to set up automatic notifications to alert IT security teams when a potentially serious policy violation occurs so the team can identify its cause. In this case, it’s important to use policy-driven automation capabilities to enforce a global tagging policy, which will make it easier for IT security teams to prioritize notifications.
Like several cloud-native monitoring solutions, VMware Secure State CloudHealth supports agents. This means the platform can enforce cloud data access governance policies beneath the level of abstraction. So, for example, if a misconfiguration is identified in an application that could result in unauthorized access to data, VMware Secure State can remediate the vulnerability automatically. You can learn more about how this process works in our article “Remediate Misconfigurations at Scale with VMware Secure State”.
See proactive automation and remediation in action
If you have concerns about enforcing cloud data access governance policies for your environment, schedule a demo to see the VMware Secure State platform in action.