Today, we’re living in the era of big data, with companies generating, collecting, and storing vast amounts of data by the second, ranging from highly confidential business or personal customer data to less sensitive data like behavioral and marketing analytics. 

Beyond the growing volumes of data that companies need to be able to access, manage, and analyze, organizations are adopting cloud services to help them achieve more agility and faster times to market, and to support increasingly remote or hybrid workforces. 

The traditional network perimeter is fast disappearing, and security teams are realizing that they need to rethink current and past approaches when it comes to securing cloud data. With data and applications no longer living inside your data center and more people than ever working outside a physical office, companies must solve how to protect data and manage access to that data as it moves across and through multiple environments. 

• Data confidentiality: Data can only be accessed or modified by authorized people or processes. In other words, you need to ensure your organization’s data is kept private.
• Data integrity: Data is trustworthy—in other words, it is accurate, authentic, and reliable. The key here is to implement policies or measures that prevent your data from being tampered with or deleted. 
• Data availability: While you want to stop unauthorized access, data still needs to be available and accessible to authorized people and processes when it’s needed. You’ll need to ensure continuous uptime and keep systems, networks, and devices running smoothly.

Often referred to as the CIA triad, these three broad pillars represent the core concepts that form the basis of strong, effective security infrastructure—or any organization’s security program. Any attack, vulnerability, or other security incident will likely violate one (or more) of these principles. This is why security professionals use this framework to evaluate potential risk to an organization’s data assets.

As more data and applications move out of a central data center and away from traditional security mechanisms and infrastructure, the higher the risk of exposure becomes. While many of the foundational elements of on-premises data security remain, they must be adapted to the cloud. 

Common challenges with data protection in cloud or hybrid environments include: 

• Lack of visibility. Companies don’t know where all their data and applications live and what assets are in their inventory. 
• Less control. Since data and apps are hosted on third-party infrastructure, they have less control over how data is accessed and shared. 
• Confusion over shared responsibility. Companies and cloud providers share cloud security responsibilities, which can lead to gaps in coverage if duties and tasks are not well understood or defined. 
• Inconsistent coverage. Many businesses are finding multicloud and hybrid cloud to better suit their business needs, but different providers offer varying levels of coverage and capabilities that can deliver inconsistent protection. 
• Growing cybersecurity threats. Cloud databases and cloud data storage make ideal targets for online criminals looking for a big payday, especially as companies are still educating themselves about data handling and management in the cloud. 
• Strict compliance requirements. Organizations are under pressure to comply with stringent data protection and privacy regulations, which require enforcing security policies across multiple environments and demonstrating strong data governance.
• Distributed data storage. Storing data on international servers can deliver lower latency and more flexibility. Still, it can also raise data sovereignty issues that might not be problematic if you were operating in your own data center.

Cloud providers and customers share responsibility for cloud security. The exact breakdown of responsibilities will depend on your deployment and whether you choose IaaS, PaaS, or SaaS as your cloud computing service model.

In general, a cloud provider takes responsibility for the security of the cloud itself, and you are responsible for securing anything inside of the cloud, such as data, user identities, and their access privileges (identity and access management).

At Google Cloud, we follow a shared fate model. That means we are active partners in ensuring our customers deploy securely on our platform. We can help you implement best practices by offering secure-by-default configurations, blueprints, policy hierarchies, and advanced security features to help develop security consistency across your platforms and tools.  

Being compliant in the context of the cloud requires that any services and systems protect data privacy according to legal standards and regulations for data protection, data sovereignty, or data localization laws. Certain industries, such as healthcare or financial services, will also have an additional set of laws that come with mandatory guidelines and security protocols that will need to be followed. 

That’s why it’s important to consider cloud service providers and evaluate their cloud security carefully. Reputable cloud service providers will not only strive to ensure their own services and platforms are compliant but should also be willing to collaborate with you directly to understand and address your specific regulatory and risk management needs.