Information security and cloud security terms can be hard to follow — especially with all those acronyms like DLP, SAML, and more. As cloud technology expands and users incorporate more apps and services into their everyday lives, security must be top of mind at all times. Knowledge and education are the best tools everyone can use to prevent data breaches and other security snafus.
Welcome to a regular series of blog posts where we help our readers cut through the infosec noise with information on key terms in cloud security. This week, we’re sharing definitions of a few key acronyms in cybersecurity and how they relate to and connect to cloud security.
DLP: One of cloud security’s best defenses
DLP stands for data loss prevention. In a previous post, we shared some information on other names DLP can go by and the major functions of this type of security protocol. DLP handles things like monitoring, filtering, reporting, and analyzing data to keep your network and applications secure.
Some of the most complex challenges in cloud security can be solved through DLP, like managing data that lives everywhere. Data is always working and moving through three phases — data in use, data in motion, and data at rest.
Each phase presents challenges to information security professionals:
- Data in use means an action the data is doing within a system at any time. Security gaps can occur as data undergoes updates, accesses, readings, and even erasures across a network or database.
- Data in motion means where the data is going, both on and off the network or database. A typical security vulnerability for data in motion is when users send sensitive data to personal email accounts or cloud drives to work remotely.
- Data at rest refers to where data is located on a network or database. Insecure storage locations and unencrypted backup copies of sensitive data pose the biggest risks for data at rest.
Since every piece of data goes through these phases at incalculable speeds and frequencies, it’s impossible for manual processes to keep information safe at every entry and exit point. That’s where Nightfall’s three steps of DLP come in. Our automated solution discovers, classifies, and protects sensitive data across collaboration tools like Slack and the Atlassian suite.
DLP allows users to perform all three essential security actions automatically, without complicated setup or need for continuous monitoring. Think about how complex these steps are:
Data discovery means finding data across your organization’s systems. Within the context of information security, data discovery is a process generally carried out by auditing tools designed to scan applications, networks, or endpoints for specific types of data. As information often exists in silos, this could be the sole reason for an organization to consider DLP.
Data classification means organizing data by relevant categories, making it easier to find and protect. Without classification, data storage is chaos. This step of DLP supports the other steps and makes the entire process possible through codifying data in more relatable terms.
Data protection is simple: protect data from loss. But the mechanisms for loss are complicated. Threats include external attacks from malicious actors, internal sources of data exfiltration among your workforce, and accidental leaks via email or social media networks.
All the acronyms we’re sharing in this post are essential for expanded infosec knowledge, but DLP might be the most important to understand. The next acronym covers a similarly wide range of data and can be as complex as DLP: PII.
PII: It’s personal
PII means “personally identifiable information” and includes any data that could potentially identify someone as an individual. This data comes from almost all industries’ daily operations, putting PII at the heart of the security breaches that pepper our 24-hour news cycle. Protecting PII is a chief concern for cloud security professionals.
Hashmap on Medium shares perspective on PII and government regulations which unfortunately doesn’t make PII any less complicated.
The United States’ General Services Administration states that “the definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual.”
The intersection of our sensitive information, exposure risk, and potentially unsecured storage sources cause massive headaches for organizations and individuals alike. Privacy regimes like HIPAA exist to address these concerns, but without cloud security measures in place to protect the data through its three phases, no amount of regulation can prevent data loss.
The 2019 Netwrix Cloud Data Security Report spells out the impact of unsecured PII in the cloud in stark numbers:
- 75% of organizations that store customer PII in the cloud without classifying all their data experienced a security incident.
- 33% of organizations that store all their sensitive data in the cloud had security incidents during the preceding 12 months.
- 55% of organizations that plan to strengthen their cloud data security with encryption, monitoring of user activity, and employee training report having to manage these initiatives with the same cloud security budget as their previous year.
Sensitive data like PII needs specialized attention to remain safe in the cloud. Nightfall helps protect PII and other important data through DLP by connecting with SaaS applications like Slack. SaaS and other similar tools are the next class of acronyms you should know more about.
IaaS, PaaS, and SaaS: More than just buzzwords
The tech industry seems to thrive on acronyms, especially the -aaS derivatives. Three acronyms from this category you should know are IaaS, PaaS, and Saas.
BigCommerce explains these three from an E-commerce lens on their blog, but the basics are the same for any industry. Think of them as an easy way to determine how to use the cloud for your business.
- IaaS, or infrastructure as a service, are cloud-based, pay-as-you-go for services such as storage, networking, and virtualization. Example: Many popular services in AWS like S3 or Redshift
- PaaS, or platform as a service, are cloud-based services that provide customers a platform to develop, run, and manage applications without the complexity of building and maintaining IaaS directly. A popular example includes Heroku.
- SaaS, or software as a service, is software that’s available via a third-party over the internet. Example: Slack and Confluence
Forrester is predicting massive growth for the public cloud market with these three services, at $299 billion in 2020 alone. Their report found that 65% of North American enterprises rely on public cloud platforms, and 66% run internal private clouds. But the growth isn’t all good news. Gartner sees insufficient cloud IaaS skills delaying half of enterprise IT organizations’ cloud migrations by two years or more, through 2022.
The problem stems from migration strategies that favor “lift-and-shift” projects that don’t develop native-cloud skills, over modernization or refactoring strategies. This is creating a market where service providers cannot train and certify people quickly enough to satisfy the need for skilled cloud professionals.
Aggressive growth is the goal for most tech companies, but without scalable and iterative development, the technology will suffer and the company will underperform. Understanding the -aaS acronyms and their functionality in the cloud is essential for sustainable growth in any organization.
The cloud is a complex place. Well-meaning end users and bad actors can pose equal threats to cloud systems. The next set of acronyms spell out how cloud security professionals keep these systems safe from insider and outsider dangers. First up: TLS and AES.
TLS and AES: Encryption in action
TLS stands for Transport Layer Security. Like its now-deprecated predecessor Secure Sockets Layer (SSL), TLS is a cryptographic protocol designed to provide communications security over a computer network. Many applications we use everyday use TLS to encrypt data: web browsing, email, instant messaging, and voice over IP (VoIP).
Websites can use TLS to secure all communications between their servers and web browsers. Without the encryption that TLS provides, sensitive information like PII and PHI (protected health information) are at risk of exposure. Bad actors can also monitor users’ browsing habits, e-mail correspondence, online chats, and conference calls without TLS. Client and server applications that support TLS ensure that data transmitted between them is encrypted with secure algorithms and not viewable by third parties.
Most cloud security concepts would be impossible without encryption. The Advanced Encryption Standard (AES) was established by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES became a federal government standard in 2002, and government organizations like the National Security Agency (NSA) utilize AES encryption and keys to protect classified or other sensitive information.
AES is used in consumer-facing products and apps as well:
- Mobile apps
- VPN Implementations
- Operating system components such as file systems
You’ll often see numbers attached to AES encryption keys, like 256-bit. Encryption scrambles information into something unreadable with an associated key to decrypt the scramble. AES scramble procedures use four scrambling operations in rounds, meaning that it will perform the operations and then repeat the process based on the previous round’s results X number of times.
The AES key size determines the number of rounds that the procedure will execute. A higher number of the bit AES encryption key means a higher number of rounds. A 128-bit AES encryption key will have 10 rounds, while a 256-bit AES encryption key will have 14 rounds.
TLS and AES are tools that shoulder huge workloads in cloud security. The next acronyms to know are SSO and SAML — security tools that help end users protect their data and systems.
SSO and SAML: Making Zero trust security more accessible for everyone
SSO stands for single sign-on, an authentication scheme that allows a user to log in with a single ID and password to any related but independent software systems. Services like Okta act as a gateway for users to enter their password a single time and access an entire suite of systems and apps on their work computers. SSO provides mutual benefits for users and organizations, like:
- Mitigating risk for access to third-party sites, by removing the needs to store or manage passwords externally
- Reducing password fatigue for users trying to remember different username and password combinations
- Removing time spent re-entering passwords for the same login
SAML is one of the key things that makes SSO work on a large scale. Also known as Security Assertion Markup Language, SAML makes it easier to extend SSO across security domains. The SAML Web Browser SSO profile was specified and standardized to promote interoperability.
Zero trust security is based on the idea of never trusting, always verifying. Asking a user to enter their credentials every time they access an account is bad user experience (UX). But trusting a webpage to host those credentials is bad security protocol. Zero trust, working in conjunction with SSO and SAML, provide the best UX and security functions. Both sides win.
End user accounts are at risk of security breaches and data loss because these entry points are easier for bad actors to access. One compromised login can allow a bad actor into a network to access more resources as they make their way through a system. Zero trust security stops this common attack pattern. SSO and SAML empower the user to take more control of their credentials and protect their sensitive data.
SSO and SAML are easier to implement and manage with tools that specialize in identity and access management. IAM is the next acronym to know, and learn how these systems tie much of cloud security processes together.
IAM: Individual security measures for the entire cloud
IAM stands for identity and access management. It’s a framework of policies and technologies to provide appropriate access to tech resources to the proper people in an enterprise. IAM systems define and manage the roles and access privileges of individual network users and the circumstances where users are granted (or denied) those privileges.
Federal regulations often require enterprises to implement IAM systems and comply with identity management policies. Regulations such as the Sarbanes-Oxley Act (SOX, another acronym we’ll cover in a future piece on cloud security terms to know) and HIPAA hold organizations accountable for controlling access to customer and employee information.
IAM solutions are critical in the expansion of cloud technology. As regulatory compliance requirements become increasingly more rigorous and complex, organizations can’t keep up with the tasks required to stay in compliance on their own. When looking for the right IAM solution for your business, keep these requirements at the top of your list:
- Multi-factor authentication
- Password management and self-help for password users
- Security analytics for auditing and compliance
Logins can often be the bane of a user’s existence. IAM tools can make this responsibility much easier for everyone on your team to manage. Not just the end users, but also the security professionals responsible for safeguarding against honest mistakes or legitimate attacks that can leave a system vulnerable.
Living (and learning) with cloud security
Cloud security can be a dense and difficult topic to process. There’s no reason that the major concepts should be so murky. Since everyone who uses a computer or mobile device interacts with the cloud in some way, that means we’re all on the hook to use this technology responsibly. Whether you’re a tech leader or just an end user, everyone can benefit from understanding key infosec and cloud security terms a little bit more.