Many enterprises today use cloud-based Infrastructure-as-a-Service and Platform-as-a-Service platforms to host their important business applications and corporate data. Many cloud providers provide data storage services as well that are used by businesses to facilitate a more agile, productive work environment. Employees and contractors use these data storage services to conduct day-to-day business in a more productive and collaborative manner. To help ensure that corporate data remains secure in such IaaS and PaaS environments that are outside the corporate perimeter, here are some best practices for you to consider.
Enable encryption for each data storage bucket. This is simple out-of-the-box configuration available from most cloud providers that encrypts data at rest so data cannot be accessed without providing appropriate decryption keys. Ensure that for every new storage bucket created, a set of benchmark policies, including encryption, is enabled immediately.
Configure access control policies, which enforce appropriate granular read/write access into the storage bucket. Using either an external Identity Management solution like the Oracle Identity Cloud Service or the native IAM provided by the cloud provider, enforce that only authorized users have access to read data from the bucket and write data into the bucket. Advanced access control policies including Multi-Factor Authentication, Risk-based policy control, and Role-based access control may be enforced as needed, depending upon the sensitivity of the data in the bucket. The more sensitive the expected data in the bucket, the stronger you want to make the access control policy.
Additionally, enable Visibility controls for your cloud storage environment such that every time a new bucket is created by anyone on your team, or if configuration for an existing bucket is modified, the changes are immediately visible and flagged for your attention. This allows you to monitor changes as soon as they’re made, so you can analyze the context and reasons behind the changes. If at all a bucket is created and configured with a policy not compliant with your reference configuration, have the CASB flag it immediately for your attention.
Finally, Oracle CASB uniquely allows administrators to mark certain data storage assets as monitoring targets, which allows these to be included in Oracle’s Machine Learning-based Behavioral Analytics algorithms. From that point onwards, any out-of-the-ordinary access to the marked data are flagged for admin attention. This real-time monitoring based on advanced Machine Learning allows you to track suspicious and potentially malicious usage the moment it starts happening, versus hours or days later.
Verizon’s DBIR report of 2016 flagged average data breach detection times as being in the order of weeks, not hours or minutes. Oracle’s CASB enables you to significantly shorten detection times for non-compliant cloud configuration and data risks to the order or minutes or seconds.
Oracle’s Identity SOC solution allows events gathered from CASB to be fed into a real-time SIEM, including Oracle’s Security Monitoring and Analytics Cloud Service, for immediate and prompt attention in the intelligent SOC. This allows the SOC analysts to detect and respond to such events flagged in real-time.
For more info, reach out to your Oracle Sales Representative or check out the collateral on our CASB product page.