Data Security On Cloud

Data Security On Cloud – This blog series from the engineering team explores the hidden costs of cloud data lakes. Discover the three hidden costs of cloud data lakes!

Cloud data lakes are growing in popularity as companies move to the cloud for analytics and AI/ML. A cloud data lake combines several components in a unified analytics environment, including cloud object storage, multiple data processing engines (SQL, Spark, etc.), and modern analytics tools (ML, data engineering, and BI). They enable a variety of business users to rapidly absorb data and analyze self-service. While cloud data lakes can offer significant scale, agility, and cost advantages over on-premises data lakes, they also present unique security challenges. Cloud data lake security is critical.

Data Security On Cloud

Data Security On Cloud

A data lake architecture integrates a complex ecosystem of components involved in ingesting, storing, and analyzing data, each representing a potential path through which data can be leveraged. Moving this ecosystem to the cloud can be a lot to avoid risks, but the security of the cloud data lake has evolved over the years to the point where it can be safer, done correctly, and offers significant advantages and benefits over conventional – distributing data. the lake lake in place.

Stay Secure On The Cloud: 3 Things You Need To Know

Here are 10 cloud data lake security practices that are essential for securing, mitigating risk and continuous visibility for any deployment. Where possible, we will use AWS as a specific example of a cloud infrastructure and data lake stack, although this practice applies to other cloud service providers and data lake stacks.

Consider this practice the most important feature and foundation of your cloud security framework. The target, described in a special NIST publication, is designed to separate security from non-security functions and can be implemented using least-privilege options. When applying this concept to the cloud, your goal is to limit the capabilities of the cloud platform to the intended functionality. Data Lake tasks should be limited to managing and managing the Data Lake platform and nothing else. Cloud security functions should be delegated to experienced security administrators. Users of the data lake should not be able to expose the environment to significant risk. A recent study by DivvyCloud found that one of the top cloud deployment risks leading to breaches is simply misconfiguration and inexperienced users. By implementing security function isolation and least privilege principles for cloud security programs, you can reduce the risk of external data exposure and breaches.

Isolating and strengthening your cloud data lake platform starts with a unique cloud account. Limit the capabilities of the platform to limit the features that allow administrators to manage and manage the data lake platform and nothing else. The most effective model for logical data separation in cloud platforms is to use unique accounts for your deployments. If you use the AWS organization management service, you can easily add new accounts to your organization. There is no additional cost to create a new account, the only additional cost you incur is to use one of the AWS network services to connect this environment to your business.

Once you have a unique cloud account to run data lake services, use the hardening techniques recommended by the Center for Internet Security. For example, CIS instructions describe detailed configuration settings for securing AWS accounts. Using a single account strategy and hardening techniques will ensure that your Data Lake functionality is separate and secure from other cloud services.

Is Your Business Paying Enough Attention To Cloud Security?

After validating the cloud account, it is important to plan the network path for the environment. This is a critical part of your first security and defense posture. There are many possible ways to secure the edge of a cloud deployment network, some of which will be driven by bandwidth and/or compliance requirements that dictate the use of private connections, or the use of cloud-based VPN (Virtual Private Network) services. and backhauling traffic through the tunnel back to the business.

If you plan to store any type of sensitive data in a cloud account and not use a private cloud connection, traffic control and visibility are critical. Use one of the many enterprise firewalls offered on the cloud platform market. They offer advanced features that complement native cloud security tools and are reasonably priced. You can deploy a virtual enterprise firewall in a hub-and-spoke design using one or a pair of available firewalls to secure your entire cloud network. The firewall should be the only component in your cloud infrastructure with a public IP address. Create explicit ingress and egress policies along with intrusion prevention profiles to limit the risk of unauthorized access and data leakage.

Similar to the firewall function for network security, host security protects the host from attacks and is the last line of defense in many cases. The scope of host security is quite extensive and can vary by service and feature. More detailed instructions can be found here.

Data Security On Cloud

The most common way to implement a log management policy is to copy logs in real time to a centralized repository that can be accessed for further analysis. There are a variety of options for commercial and open source log management tools, most of which integrate seamlessly with cloud-native offerings such as AWS CloudWatch. CloudWatch is a service that acts as a log collector and includes a feature to visualize data on a dashboard. You can also create metrics to trigger alerts when system resources reach certain thresholds.

What Is Different About Cloud Security

Identity is an important foundation for auditing and providing strong access control for cloud data lakes. When using cloud services, the first step is to integrate the identity provider, for example: Active Directory, with the cloud provider. For example, AWS provides clear instructions on how to do this with SAML 2.0. For certain infrastructure services, this may be sufficient for identification. If you start organizing yourself 3

Application side or deploy a data lake with multiple services, you may need to integrate a mix of authentication services such as SAML clients and providers such as Auth0, OpenLDAP, and possibly Kerberos and Apache Knox. For example, AWS provides assistance with SSO integration for federated EMR notebook access. If you want to extend services like Hue, Presto, or Jupyter, you can check third-party documentation about Knox and Auth0 integration.

Authorization provides data and resource access control, as well as column-level filtering to secure sensitive data. Cloud providers integrate robust access control into PaaS solutions through resource-based IAM and RBAC policies that can be configured to limit access control using the principle of least privilege. Ultimately, the goal is to centrally define access control at the row and column level. Cloud providers such as AWS have begun to extend IAM, providing access control to data and workloads such as Lake Formation, as well as increasing the ability to share data between services and accounts. Depending on the number of services running in your cloud data lake, you may need to extend this approach with an additional open source or 3

Encryption is the foundation of cluster and data security. Implementation of encryption best practices can generally be found in the instructions provided by the cloud provider. It’s important to nail down these details, and this requires a thorough understanding of IAM, key rotation policies, and specific application configurations. When it comes to buckets, logs, secrets, and volumes, and all data storage in AWS, you need to understand KMS CMK best practices. Make sure your data is encrypted while traveling and during the day. If you are integrating with a service that is not provided by your cloud provider, you may need to provide your own certificate. In any case, you should also develop a way to rotate the certificate, perhaps every 90 days.

The Iet Shop

Vulnerability Management – ​​Regardless of your analytics stack and cloud provider, you’ll want to ensure that everything in your data lake infrastructure has the latest security patches. A regular patching strategy for operating systems and packages should be implemented, including regular security checks across all parts of your infrastructure. You can also monitor security bulletin updates from cloud providers (eg Amazon Linux Security Center) and apply patches based on your organization’s patch management plan. If your organization already has a vulnerability management solution, you should be able to use it to scan your data lake environment.

Compliance monitoring and incident response are the foundation of a security framework for early detection, investigation and response. If you have an existing security information and event management (SIEM) infrastructure, consider using it for cloud monitoring. Every leading SIEM system on the market can receive and analyze all major cloud platform events.

Event monitoring systems can help you support cloud infrastructure compliance by triggering alerts on threats or control violations. It is also used to identify indicators of compromise (IOC).

Data Security On Cloud

To ensure data integrity and availability, cloud data lakes must store data in cloud object storage (eg, Amazon S3) with secure and cost-effective redundant storage, continuous throughput, and high availability. Other options include object versioning with a retention lifecycle that can allow remediation of accidental object deletions or replacements.

Cyera Cloud Data Security Platform Available In Aws Marketplace

Google cloud data security, cloud and data security, data security cloud, data security cloud computing, azure cloud data security, imperva cloud data security, cloud data security solutions, prisma cloud data security, cloud data storage security, cloud data center security, multi cloud data security, cloud data security challenges

Leave a Reply

Your email address will not be published. Required fields are marked *