Cloud

Securing Agencies’ Cloud Migration Paths Requires Data-Level Security

Deconstructing and then reconstructing data in transit protects against threats and is an essential component of zero trust.

Audra Simons

Audra Simons is Senior Director of Global Products and Engineering at Everfox.

There is always an inherent risk of compromise when moving data from one location to another. Some data might be lost, while other data might end up being corrupted or incomplete.

Cloud migration adds the possibility of human error and technical issues, heightening the risks associated with data transfer.

Agencies navigating cloud migration to align with the Biden administration’s National Cybersecurity Strategy can mitigate some of these risks with a solution called content disarm and reconstruction. With CDR, agencies can extract and validate information from files before they’re transferred and then reconstruct the files post-migration containing only clean, relevant data.

To ensure a safe and secure cloud migration, agencies should leverage CDR and other zero-trust security approaches so that data can safely reach its destination.

Click the banner to read CDW’s white paper on enhancing zero trust for your agency.

Defending Against Insider and Evolving External Cyberthreats

The cloud migration pathway is rife with cybersecurity potholes. Regardless of whether these hazards stem from insiders or external threats, hitting any of them could prove costly for agencies that are trying to align with federal cloud requirements.

For example, while an agency’s employees are its strongest defense against cybersecurity threats, they can also be its weakest links. Many cloud migration vulnerabilities stem from simple human error, including misconfigurations, that can lead to unrestricted inbound and outbound ports, application programming interfaces created without proper authentication, weak passwords, and other kinds of accidental or intentional insider risks.

Agencies face external threats as well. For instance, ransomware attacks against cloud services are increasing. Meanwhile, transferring inaccurate or incomplete data can cause data corruption and faulty results that can be catastrophic.

On top of it all, cyberattackers are getting more creative and adept at targeting data as it is transferred and stored in the cloud. In addition to traditional ransomware, there has been a rise in highly evasive adaptive threat attacks that target web browsers with malware and attacks on cloud infrastructure, as exemplified by Russia’s recent efforts to infiltrate cloud environments.

Combatting Cyberthreats at the Data Level

A well-rounded zero-trust strategy is key to mitigating these and other types of attacks and vulnerabilities. CDR is a more reliable zero-trust option because it proactively addresses vulnerabilities at the data level.

The way CDR works is simple: Before files are migrated, the valid information contained within the files is extracted, and the original files are either completely discarded or stored. This is the disarm phase.

Extracted information is verified to ensure that it is well-structured and free of vulnerabilities. Finally, new files are built using the verified data. This is the reconstruction phase. Those vulnerability-free files are then securely migrated to their destination.

Most cybersecurity methods are based on detecting malicious activity, but CDR uses a preventative zero-trust approach. This assumes that no data is secure at any time, especially when in transit.

Files are intercepted and reconstructed in real time, delivering secure data without disrupting employee workflows. Rather than retroactively discovering threats after they’ve breached an agency’s perimeter, CDR prevents them from entering the perimeter altogether.

DISCOVER: Three agencies give updates on their zero-trust progress.

Other Cybersecurity Best Practices That Complement CDR

While CDR is a highly powerful tool in the fight against cybersecurity threats, it cannot and should not be the only weapon in agencies’ zero-trust arsenals. Organizations should consider employing other data security best practices to bolster their zero-trust approaches and ensure that their data is as protected as possible before it is shared.

Good cybersecurity starts with controlling data access and practicing the principle of least privilege. Every agency should have a clear data usage policy specifying guidelines and rules around who can access and use data, how it should be accessed, and when and why. With the principle of least privilege, new accounts have the fewest privileges to data and are granted additional access over time.

Adding other data-level layers of protection in addition to CDR is also a good idea. Cataloging data, learning how much of it is sensitive or critical to the organization, and applying controls to ensure that data complies with government cybersecurity regulations are critical best practices.

Agencies can then encrypt data by converting plain text into ciphertext, making it very difficult for unauthorized users to crack. For added protection, agencies may opt for pseudonymization, which encrypts identifiable data with artificial identifiers or pseudonyms, such as replacing a user’s name with a token that signifies the user without revealing an identity.

Layering these strategies with CDR gives agencies a comprehensive cybersecurity approach that protects data at rest and in transit during cloud migrations. Their threat protection levels will be, in the words of the National Cybersecurity Strategy, “more intentional, more coordinated, and more well-resourced,” and they will be one step closer to a true zero-trust security posture.

sankai/Getty Images