Data migration to the cloud accelerates each year. By 2025, over 100 zettabytes of data1 will be stored in some form of cloud storage resource. If your organization stores data in the cloud, you are likely aware of the security risks associated with cloud-based malware, misconfigurations, and other issues that result in data loss or compliance violations. Today, the vast majority of organizations focus their efforts exclusively on protecting their “most important” resources, like repositories with sensitive information. Meanwhile, many other repositories are left unprotected and undefended. While this might seem like a cost and time-saving approach, operating with a project-based security strategy instead of an inclusive, programmatic strategy is like locking your front door and never checking your back door, leaving your entire enterprise vulnerable to malware infiltration.
Project-Based Protection (Most Common) refers to a limited, ad-hoc security approach focused on securing specific, isolated cloud storage resources or projects, often leaving other areas vulnerable to threats and potential malware infiltration.
Programmatic Protection (Best Defense) refers to the continuous, automated, and comprehensive security applied across all cloud storage resources, proactively scanning and protecting every repository to prevent malware, data loss, and compliance violations.
What Are The Threats to Storage?
Malware, misconfigurations and permission issues are among the most common threats to your cloud storage. Of these threats, malware ingestion is particularly troubling due to its ability to spread widely to customers and partners through workflows while evading project-based security strategies. Malware can enter your cloud storage in various ways, including:
- Compromised credentials or exploited APIs
- Phishing attacks
- Unmonitored automated integrations
- Dormant data
- Internal human threats
- Development and testing environments
- Application-generated data
These ingestion methods could deposit malware in any number or type of storage resource for distribution downstream. Imagine your organization conducts a large-scale migration of data from on-premises using a managed migration tool. This data will eventually be organized, processed within an internal application, and distributed to employees who execute the files on their local machines for manual inspection. If a piece of malicious code were contained in even one of the downloaded files, that malware could execute and spread to the network, begin exfiltrating data, or initiate a ransomware attack. If this malicious code were caught and quarantined in the storage layer, this costly incident would have been prevented.
Why Program-Based Protection Is Essential
Since Amazon S3 buckets are not executable environments, many organizations don’t comprehensively protect them. Overlooking these repositories leaves significant gaps in organizations’ security posture and fails to address three critical risks:
- Propagation: Infected files can be downloaded by customers, partners, or employees. Even if antivirus software is installed on a local machine, the definitions could be out of date.
- Workflow vulnerabilities: Applications and workflows may inadvertently distribute malware across and out of a cloud environment.
- Unpredictable detonation: Due to periodic definition updates, a piece of malware could be scanned multiple times before malicious code is detected.
Scanning only a portion of storage resources for malware fails to address these risks and creates opportunities for lateral movement where malware can be distributed across locations.
Implementing a Programmatic Cloud Storage Security Strategy
A comprehensive cloud storage security strategy includes malware protection on every single storage repository. Whether the data is externally sourced or internally created, the massive attack surface created by dozens, hundreds, or thousands of storage resources cannot be ignored. A satisfactory technical solution to this problem should include:
- Scalability: Whether storage volumes are in the megabyte or petabyte range, horizontal scaling to keep up with changing file volumes is essential.
- Proactive defense: Flexibility of scanning models, including the ability to scan pre-existing data as well as scanning immediately after data is uploaded, allows for a deeper level of protection.
- Ease of use: The ability to apply program-based protection to all buckets, volumes, and file systems in as little as a single click saves time and effort.
Cloud Storage Security (CSS) offers customers the ability to “protect everything” with cloud-native, in-tenant malware protection for Amazon S3, Amazon EBS, Amazon EFS, Amazon FSx, Microsoft Azure Blob, and Google Cloud Storage. We also offer flat-rate, program-based pricing, that enables customers to:
- apply malware protection to as many storage resources as required
- perform unlimited scanning, including rescanning with new definitions or to satisfy compliance requirements
all while not worrying about per-GB pricing, over spending, or license usage.
Attackers thrive on lax security practices. By applying malware protection to all of your buckets, you are taking measures toward protecting your (and your customers’) data while avoiding costly data breaches, compliance violations, and certain reputational damage. To leverage program-based pricing, which is more cost-effective than our per-GB public pricing model, contact a Cloud Storage Security expert today.
This article is adapted from the paper A Holistic Approach to Cloud Storage Malware Protection.
About Cloud Storage Security
Cloud Storage Security (CSS) protects data in the cloud so that businesses can move forward freely and fearlessly. Its robust malware detection and data loss prevention solutions are born from a singular focus on, and dedication to, securing the world’s data, everywhere. Serving a diverse clientele spanning commercial, regulated, and public sector organizations worldwide, CSS solves security and compliance challenges by identifying and eliminating threats, while reducing risk and human error. CSS’s modern, cloud-native solutions are streamlined and flexibly designed to seamlessly integrate into a wide range of use cases and workflows, while complementing and bolstering existing infrastructure and security frameworks. CSS holds certifications including SOC2, AWS Public Sector Partner with an AWS Qualified Software offering, AWS Security competency, and AWS Authority to Operate.
1Source: https://cybersecurityventures.com/the-world-will-store-200-zettabytes-of-data-by-2025/
Share:
