Data is your most valuable asset. That’s why securing it should be a top priority.
Today’s organizations are complex, often siloed, with hybrid workforces. Most have a mix of legacy on-premise infrastructure and multiple public cloud platforms. Employees, teams, and projects are constantly changing—as are authorizations for those projects. So securing this environment can quickly get complicated.
But data security is a critical component in securing your IT infrastructure. The more sensitive the data, the more your organization is at risk from a data leak or breach. The consequences of a data leak or breach can be long-lasting: from lost revenue, business downtime and regulatory fines, to reputational damage that can be hard to recover from.
Securing your data in Google Cloud
As part of any cloud migration strategy, IT teams need to consider which data they’re planning to process and store in the cloud. From data classification and governance, to access control, network security, encryption and auditing, there’s a lot to consider throughout the lifecycle of your data.
Here are some key considerations to securing your data in a Google Cloud environment:
Data classification: Ideally, data should be automatically classified as soon as it’s created. Typically, data falls into one of four categories: publicly available data; internally available data (non-confidential data that isn’t available for public consumption); confidential data (confidential data that is only available internally); and restricted data (data that is regulated and restricted to certain users).
Google’s Sensitive Data Protection suite of services can automatically identify sensitive data in Cloud Storage, BigQuery, and Datastore, and classify it in your Google Cloud environment—throughout all stages of the data’s lifecycle.
Data governance: Once your data is classified, it’s easier to govern that data. While your organization will need to establish its own data governance strategy—based on global, national, and industry regulations and compliance requirements—there are resources that can help.
For example, Google Cloud offers a framework for data governance in the cloud, as well as tools and technologies. For example, Dataprep by Trifacta can help to define and enforce data quality rules; it can be used either as a standalone service or from within Cloud Data Fusion.
Identity and Access Management (IAM): Once data is classified and tagged, you’ll be able to leverage Google’s IAM, which can help you manage which users are allowed to use certain datasets. Designed to simplify complexity with a universal interface, Google’s IAM lets you manage access control across all Google Cloud resources.
Authorization can be done at a very granular level—not just the project level—with context-aware access based on IP address, resource type, date/time, and other policies. This can help to reduce risk and meet compliance requirements outlined in your governance strategy. Another feature is Recommender, which uses machine learning to make recommendations for access control.
Network access and security perimeters: You’ll also need to configure and control network locations where data is stored and accessed by users. In today’s world of work-from-anywhere, this is even more important. Tools built into Google Cloud—such as VPC Service Controls—can help limit access in specific regions via virtual boundaries, even if users are authorized to access that data in your IAM policy.
While IAM provides identity-based access control, using network access controls such as VPC Service Controls provides broader context-based perimeter security. Used together, they can help organizations build a defense-in-depth security strategy.
Data encryption: Google Cloud encrypts data at rest and in transit by default. But it also offers encryption options such as Customer-Managed Encryption Keys (CMEK)., which allows you to generate and manage encryption keys.
You can also create Customer-Supplied Encryption Keys (CSEK)—a ‘bring-your-own-key’ service—if you want to generate keys using an on-premises key management system. There’s also the option of using a third-party key management system via Cloud External Key Manager (Cloud EKM) for data outside of your Google infrastructure.
Auditing: When it comes to security, you can never ‘set it and forget it.’ You’ll need to continuously monitor your environment and regularly audit it. Google’s Security Command Center offers a single management interface that can help you monitor your environment and scan for vulnerabilities.
Cloud Logging can be used to store logs in storage buckets segmented by region. Those logs include Cloud Audit Logs for admin activity and key use, which can be monitored using Cloud Monitoring. These are just a few of the many tools available to help you monitor your environment.
The Pythian Security Advantage
Securing your data across its lifecycle is complex, especially if your IT team doesn’t have specific expertise in Google Cloud. That’s where a partner like Pythian can help. Our data management services can help you develop strong data governance protocols to build organizational trust and data reliability.
But our services don’t stop there—we can then help you unlock your data’s full potential. For example, our enterprise data platform (EDP) services for Google Cloud make it easy to integrate, clean, and organize your data into Google BigQuery and make datasets available for analysis—transforming data into insights using BI tools like Looker or Tableau.
Want to unlock secure data practices in Google Cloud? Contact us info@pythian.com to learn more.
No Comments Yet
Let us know what you think