We have seen a mass migration to the cloud over the past two years that few could have predicted. But are organizations taking the necessary actions to protect their data?

In many respects, cloud data security differs dramatically from on-premise security. Having the right strategies can prevent or drastically minimize the impact of a breach while helping maintain data’s business value. (Also read: Data Breach Notification: The Legal and Regulatory Environment.)

And these four strategies can position organizations to do just that:

1. Adopt a DataSecOps Approach to Cloud Security

Playing offence is easier, more time-efficient and less costly than playing defence.

But preventing or minimizing the effects of a data breach requires ground-level planning that many organizations fail to implement. A DataSecOps approach can help organizations build security protections by building cloud infrastructures.

The idea behind DataSecOps is that security teams collaborate early and often with data scientists to ensure security is a top consideration with every decision. This way, data security is woven into a cloud environment’s DNA, thus drastically reducing the risk of a breach and protecting data. And, should a breach occur, it is of no use to a cybercriminal. In a security-first cloud environment, organizations can store, analyze and share data confidently instead of reacting to a potential problem and adding security measures once a problem emerges. (Also read: How to Prepare for the Next Generation of Cloud Security.)

However, a DataSecOps approach requires a great deal of deliberation and consideration. As organizations have rushed to the cloud in response to a remote work environment, many have prioritized speed over security and have suffered the consequences.

The benefits of taking the time to implement a DataSecOps approach will outweigh the short-term benefits of quickly migrating to the cloud.

2. Implement a Data Security Mesh

Working in the cloud requires moving away from a traditional data security mindset.

Securing data in on-premise environments was relatively straightforward: Protect the perimeter and prevent access. There wasn’t as much need for data to leave that environment; and most code was homegrown. But the onset of cloud migration shifted many industries toward a distributed environment without a perimeter. Further complicating data security is that each device accessing the cloud is only as secure as the network from which it does so—whether from home or a nearby coffee shop. (Also read: A Zero Trust Model is Better Than a VPN. Here’s Why.)

In the past year, we have seen greater reliance on implementing a data security mesh, which focuses on the perimeter of every device in use through several protection methods. According to Gartner, a data security mesh “allows for the security perimeter to be defined around the identity of a person or thing. It enables a more modular, responsive security approach by centralizing policy orchestration and distributing policy enforcement.”

An essential step toward implementing a data security mesh is to thoroughly audit your organization’s existing technology to determine if it is appropriate for cloud data security. For example, on-premise security methods focus heavily on data at rest.

Still, as we know, cloud data is being stored and processed in infrastructures the data owner does not own. Thus, cloud data requires different processes to ensure it is protected no matter how it is being used. (Also read: Who Owns the Data in a Blockchain Application – and Why It Matters.)

In my experience, many organizations hesitate to move on from security technology that they have invested heavily in. The cost concern is understandable—but past investments pale compared to a cloud data breach’s financial and reputational cost.

3. Employ Data Analytics Pipeline Protection Methods

Data analytics is one of the cloud’s most important benefits, offering unprecedented scale and utilizing insights for market differentiation.

It stands to reason that organizations should ensure data is protected throughout its lifecycle through the pipeline—and doing so requires a wide range of situational techniques.

As data is created, it is unstructured and needs to be categorized to determine how it should be protected.

The first step of categorizing data is to determine if the data in question includes sensitive information, like a Social Security number (SSN), home address or credit card number. If sensitive information is discovered within the data, but that data doesn’t need to be analyzed, the data will be masked. This process completely hides the sensitive information with characters in a different format. (Also read: Never Really Gone: How to Protect Deleted Data From Hackers.)

Now, let’s say the same data containing sensitive information does need to be analyzed. In this case, data should be tokenized for midstream use in the pipeline. Using the SSN as an example, its nine digits would be replaced by nine other numbers, leaving the appearance of an SSN but would be of no use to an unauthorized person accessing it. At the same time, applications can analyze the data set without putting sensitive data in the clear.

Downstream, encryption is applied to convert data into unreadable cipher text that a privileged few can unencrypt with a key. This approach, known as “privacy-preserving analytics,” can process data while it remains unreadable and unusable to those without access.

By implementing the appropriate protection methods at the right time, cloud data analytics can occur without compromising that data’s value.

4. Understand the Details of Shared Responsibility

Failing to fully understand the shared responsibility model is one of the most overlooked aspects of cloud data security.

Many organizations have been under the inaccurate impression that their cloud provider protects data. However, most cloud providers only shoulder the responsibility of protecting the cloud—not the data inside. To put it another way: The home security company is responsible for keeping criminals out of the house; but it is the homeowner’s responsibility to hide or lock up valuables.

Before moving forward with a cloud provider, make sure to have deliberate discussions that outline who is responsible for what and take the necessary steps to ensure your organization has appropriate protection methods in place.

Further, it is entirely acceptable to ask a potential cloud service provider for their certifications related to industry or governmental regulations your organization must follow. (Also read: GDPR: Do You Know if Your Organization Needs to Comply?)

Conclusion

Many businesses cannot commence cloud projects without the appropriate data security practices, which can delay essential data analytics insight.

For forward-looking organizations, cloud data security is not a “nice-to-have” proposition; it is critical for long-term success.