When it comes to securing valuable business data, how safe is “the cloud”? Recent incidents have made clear that even the most reputed cloud computing services are not immune to mishaps, facing risks that range from data center fires to misconfigurations and cyberattacks, making it increasingly vital for businesses to rethink their data management strategies, especially those centered on cloud-based storage.
Data mismanagement in the cloud
In May 2024 the Google Cloud account of an Australian financial service provider was deleted due to a misconfiguration. This resulted in more than half a million customers losing access to their financial data for a week. Similarly, a ransomware attack on Finland-based cloud service provider Tietoevry affected private companies, universities, and government authorities across Sweden, showcasing that cloud vulnerabilities exist on multiple fronts.
These examples, among others, illustrate that data stored in the cloud is susceptible to risks comparable to those affecting locally stored data. After all, “the cloud” is really just servers housed in data centers, which are as vulnerable to physical and cyber threats as any other IT infrastructure.
Co-founder and CISO, Cyber Upgrade.
An evolving regulatory landscape
The stakes of proper data management are higher than ever, given that data loss can lead to costly business disruptions and severe reputational damage. Moreover, regulatory authorities are now enforcing more stringent measures on the handling of data and digital infrastructure. The Digital Operational Resilience Act (DORA), for example, aims to ensure that financial entities in the European Union are prepared to mitigate cyber risks effectively. Similarly, the Network and Information Systems Directive (NIS2) seeks to enhance cybersecurity across sectors critical to the European economy, such as energy, transportation, and healthcare.
These regulatory frameworks, and the penalties they impose for non-compliance, make it imperative for companies to rethink their current data management strategies. Relying solely on third-party cloud storage solutions without implementing rigorous internal controls can lead to infractions, resulting in significant penalties and loss of customer trust. Implementing a robust data backup strategy that complies with these regulations is no longer optional but a necessity.
Concrete steps for zero trust data backup
A strong backup strategy should protect companies not only from data loss due to data center outages but also from other threats like ransomware and cross-site scripting attacks.
A comprehensive data management plan should include retaining backups that are older than six months, to ensure that historical data and logs are available when needed, for forensic purposes. At the same time, businesses should ensure incremental data security by using a combination of base backups, Write Ahead Log (WAL) backups, full system snapshots, and full data dumps. Because individual backups can be vulnerable to localized cyberattacks or fires, it is essential to store identical backups in different geographical locations, ideally at least 25 miles apart.
However, even these measures may not be sufficient without additional layers of internal security. All backups must be encrypted, to ensure data integrity and confidentiality, and access to backups should be restricted to limited, authorized personnel only. Additionally, a log of all backup instances should be maintained for tracking and auditing purposes.
Periodic assessments are also crucial. Backup processes should be verified monthly to ensure they are reliable and consistent, and a full recovery test at least once a year should be conducted to validate the effectiveness of the backup strategy. Additionally, realistic disaster recovery scenarios should be simulated annually to identify potential gaps in the backup plan.
By implementing these controls, businesses can better safeguard their data assets, comply with stringent regulations, and ensure operational resilience against increasing cyber threats. Ultimately, achieving true data security means trusting no one while implementing rigorous and uncompromising internal controls.
We list the best cloud optimization service.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
