The Do’s and Don’ts of Managing Sensitive Data in the Cloud [A Complete Checklist for MSPs]

Do You Know Where Sensitive Data Resides?

Do you know where all sensitive data resides within your organization, or more importantly, where it resides in your customers’ clouds? Those unauthorized access controls, excess permissions, inactive users, or misconfigured S3 storage buckets could be exposing terabytes of critical data by the minute. 

Research showed that more than 30% of cloud data assets contain sensitive information. But that’s where the problem begins for a busy MSP. Without clear visibility into where sensitive data resides or how it’s being accessed, securing it becomes nearly impossible, often resulting in a massive breach. 

That’s why we put this checklist together on The Do’s and Don’ts of Managing Sensitive Data in the Cloud. But first, do you know who has access to what?

Securing Data in the Cloud: Who Has Access to What? 

According to research conducted by Microsoft Security in their 2023 State of Cloud Permissions Risks Report, found that over 45% of organizations have AWS access keys that have not been rotated for at least months. The report also found that 40% of identities are inactive in AWS environments.

Let that sink in for a moment. 

How can MSPs determine who has access to which type of data across multiple cloud platforms and ensure it remains secure? 

Now factor in third parties. 

Third parties may have unmanaged access permissions that are out of your scope. Any of those permissions can provide a backdoor for attackers to exfiltrate sensitive data. 

And the risks aren’t only limited to cloud environments…

MSPs must constantly worry about shadow IT, where employees use unauthorized cloud services and other SaaS applications without the consent or knowledge of IT. This is a big problem. 

Those unauthorized cloud accounts and user roles can bypass security protocols (assuming they’ve been implemented) and leave your attack surface completely vulnerable. Even the most “harmless”-looking Chrome extension, such as Grammarly, can bring about major security threats since it has access to documents that contain financial transactions, proprietary information, and other PII. 

Once you agree to those terms, your data becomes vulnerable to those third parties. Those terms of service are often long, complex, and difficult to fully understand, making it easy for employees to overlook the risks associated with granting access.

Sure, data privacy laws have become more strict, but they can’t protect you from the risks posed by unauthorized access if you don’t know where sensitive data resides. 

Data at Rest vs. Data in Transit

In order to secure data, you first need to have a better understanding of the different types of data. 

Data at rest refers to data that is stored and not actively being transmitted or processed, such as in databases, file servers, or cloud storage. 

Data in transit or in motion, on the other hand, refers to data that is being transmitted from one location to another, such as emails or cloud-based API calls. 

All data, whether at rest or in transit, should be secured using strong encryption. This prevents unauthorized access to stored files on servers or cloud services (data at rest) and mitigates risks such as Man-in-the-Middle (MITM) attacks during transmission (data in transit).

The Do’s and Don’ts of Managing Sensitive Data in the Cloud [Complete Checklist]

Access permissions should be limited by default. But this is the part that gets tricky for MSPs.

Why?

Because an MSP may not be fully aware of how many permissions and identities are circulating within cloud environments. When was the last time your team conducted a comprehensive review of user permissions and roles across all cloud platforms? 

A month ago? A year? Longer?  

Now multiply those accounts, permissions, and identities when dealing with multiple clients simultaneously, and it’s not so hard to imagine that a data breach is only a single account login away. Research taken from Google Cloud’s 2023 Threat Horizons Report found that 86% of data breaches involve stolen credentials.

So, yeah, the threats are very real. No need to fall into that trap. 

Below are the most common cloud risks, along with best practices you can implement to prevent them and secure sensitive data.

Cloud RiskGuardz Best Practices 
Excessive access permissions– Implement the principle of least privilege across all cloud accounts
– Conduct periodic audits of user permissions 
– Provide temporary access to sensitive resources and revoke access immediately after the task is completed
Inactive identities – Remove inactive users from cloud accounts, such as employees who have left the organization or third parties whose contracts have expired
– Enforce multi-factor authentication (MFA) across all cloud accounts 
– Monitor privileged accounts closely and deactivate those that are inactive for excess periods of time (30-60 days).
Cloud storage misconfigurations (e.g. S3 buckets left public) – Restrict public access to storage buckets – this is absolutely essential
– Regularly rotate access keys and secrets every 90 days
– Enable versioning for cloud storage objects and establish regular backup procedures
Third parties – Conduct thorough cybersecurity risk assessments and audits 
– Implement access controls for third party data sharing 
– Define roles and responsibilities in security contracts, including who is responsible for securing your data (shared responsibility model)
– Ensure that third parties meet compliance regulations and ask to see updated certifications (e.g. GDPR, HIPAA, ISO 27001)


But there’s a better way to manage sensitive data in the cloud. 

Keep All Sensitive Cloud Data Secured with Guardz 

Who has cloud access permissions to critical data? Don’t wait until an account gets compromised to find out. 

Guardz examines all digital assets within the customer cloud environment by scanning files and folders for excessive sharing permissions, misconfigurations, and other types of risky user behavior that can lead to a breach.

Prevent compromised credentials with Guardz cloud DLP and unified cybersecurity platform. 

See where all sensitive data resides across your organization and client cloud environments. 
Speak with one of our experts today.

Categories:

Jordan is a Cybersecurity Content Creator and community builder. He has written for many cybersecurity companies and knows more stats about a data breach than IBM.

Subscribe to
Our Newsletter.

A person sits in a futuristic control room, resembling an archive, with large screens displaying stars and planets, suggesting space. The background features abstract mountain outlines under a pale sky with a moon.

Guardz, Cybersecurity
Co-Pilot for MSPs

Demonstrate the value you bring to the table as an MSP and gain visibility into your clients’ external postures.
Holistic Protection.
Hassle-Free.
Cost-Effective.

Guide to Boosting Your Email Security

Discover the Power of Cybersecurity for Your MSP Growth.

Dive into the crucial e-mail security protocols (SPF, DKIM, DMARC) to enhance your e-mail protection and make sure your e-mails are delivered in the inbox of your recipients instead of the spam or quarantine folder.

This guide provides you with innovative strategies and expert insights to elevate your MSP business, strengthen client trust, and stay ahead of ever-evolving threats.

A silhouetted astronaut figure stands in an open door frame, like an exit popup against the cosmos, facing a starry sky with a distant planet in view, contrasting with a plain, stark interior.
Graphic showing several yellow envelopes with letters, one red envelope marked by a red exclamation triangle, on a purple background with circuit lines. Green shield icons are on some envelopes, indicating security against cyber risks.

Guide to Boosting Your Email Security

Discover the Power of Cybersecurity for Your MSP Growth.

Dive into the crucial e-mail security protocols (SPF, DKIM, DMARC) to enhance your e-mail protection and make sure your e-mails are delivered in the inbox of your recipients instead of the spam or quarantine folder.

This guide provides you with innovative strategies and expert insights to elevate your MSP business, strengthen client trust, and stay ahead of ever-evolving threats.

Illustration of yellow envelopes with documents against a purple backdrop. Red warning icons with exclamation marks suggest potential cyber risks. Circuit-like lines enhance the background, reminiscent of a Cyber Risk Prospecting Report alert.
Illustration of yellow envelopes on a purple background, with two red envelopes marked by exclamation points, indicating cyber risk warnings. Green shield icons adorn some envelopes, while a radar-like pattern enhances the sense of alertness in the background.