Cloud data security is the practice of safeguarding sensitive data, intellectual property, and secrets from unauthorized access, tampering, and data breaches. It involves implementing security policies, applying controls, and adopting technologies to secure all data in cloud environments.
As IBM and Ponemon Institute’s Cost of Data Breach Report 2024 shows, data breaches cost organizations worldwide an average of $4.88 million—a full 10% spike from 2023. To Gartner, the growing frequency and cost of cloud data breaches calls for a data-centric approach to security, where security measures and policies are designed with data—rather than infrastructure—as the focal point.
Still, because data in the cloud is highly distributed and often shared and stored across various third-party vendors, the first step to implementing data-centric data security best practices is to understand the shared responsibility model.
Advanced Cloud Security Best Practices [Cheat Sheet]
Crafted for both novices and seasoned professionals, the cloud security cheat sheet exceeds traditional advice. It combines theory with real-world impact analysis, provides actionable steps, and even delves into hands-on code snippets for those who prefer a direct approach.
Download Cheat Sheet
The shared responsibility model and data security
Security in the cloud is a shared responsibility between customers and cloud service providers (CSPs) like Azure and GCP. Under the shared responsibility model, the CSP is responsible for securing the physical data centers, networks, hosts, and other physical components that make up the cloud infrastructure. Customers are in charge of securing their cloud data, apps, and configurations.
If the model is misunderstood or poorly implemented on either side, you may face data breaches, data loss, or compliance failures. To avoid these issues, let’s look at how you can uphold your end of the shared responsibility model by adopting best practices to secure data in the cloud.
13 Key cloud data security best practices
1. Define and discover sensitive data
Knowing what data you have and where it’s located is the only way to protect it. There are two key steps to defining and discovering sensitive data:
Establish what constitutes sensitive data for your organization: Because the definition of sensitive data varies across organizations, give it careful thought and decide what it means for your enterprise.
For example, a healthcare provider is typically in possession of sensitive customer health and payment information and an insurance service provider likely stores medical histories, bank statements, traffic offense histories, and other sensitive data (depending on the type of insurance they provide). To determine if a dataset is sensitive, think of what its loss or exposure to the public can do to your enterprise.
Use automated tools to discover data across all environments: Manually discovering data stored across various environments leaves unknowns that can be exploited by attackers, and this explains why multi-cloud data storage accounts for 40% of data breaches. Invest in data security posture management (DSPM) tools to automate data discovery, eliminate shadow data, and identify new data in real time.
2. Classify and label data
Data classification and labeling is the foundation of data security, access control, and regulatory compliance.
Implement a data classification framework: The framework you use should clearly define data sensitivity levels using easy-to-understand categorization schemes. For example, “public,” “internal,” and “confidential” might be your way of classifying low, medium, and high risk assets. Straightforward categories support consistent data classification and governance.
Use metadata and tagging for easy identification and handling: Feed automated data classification tools with consistent labeling data. These include keyword tags and metadata like timestamps (e.g., “creation date”), access levels (something like “admin access only”) and retention tags (for example, “retain for 3 years”). Consistent data tags and metadata streamline your data identification, classification, and lifecycle management.
3. Encrypt data at rest and in transit
Encrypting data at rest and in transit ensures data remains inaccessible even if a breach occurs. It’s also a necessity for meeting a wide range of compliance standards. For example, NIST SP 800-57, ISO/IEC 27040, GDPR, HIPAA, and other frameworks mandate that organizations must encrypt data and protect cryptographic keys from unauthorized access.
Encrypting data at rest safeguards stored data (such as the data you keep in databases and file systems) from unauthorized access. Protect data at rest by applying strong encryption algorithms including Advanced Encryption Standard (AES-256), which uses a 256-bit key. You can also use the elliptic-curve cryptography (ECC), which has a 192-bit to 256-bit key range.
Encrypting data in transit safeguards data moving across networks from interception, manipulation, and theft. Encrypt data in transit by applying TLS (Transport Layer Security) over any transport protocol of choice (like HTTP and FTPS).
Use hardware security modules (HSMs): HSMs are physical devices designed to store cryptographic keys securely and perform cryptographic functions.
4. Implement strong access controls
When implementing access controls, strike a balance between over-permissioning and under-permissioning. Tilting too far in either direction can result in shadow access, where authorized or unauthorized users create unmonitored infrastructure to access resources. Key ways to enforce access controls include:
Enforcing the principle of least privilege (PoLP) to ensure users only have access to the sensitive data and infrastructure they need to complete their tasks
Using role-based access control (RBAC) and attribute-based access control (ABAC): RBAC limits user permissions based on their job roles, while ABAC controls user access based on fine-grained characteristics (e.g., combining time, device IP, and job description such that a teller has only write access to customer financial information using a prespecified device)
Implementing multi-factor authentication (MFA) for all access points; MFA provides multiple access control layers, preventing attackers from accessing sensitive data using stolen or compromised credentials
Adopting an identity access management (IAM) tool to help you understand the effective permissions of every identity and also help identify who can access what and when in the environment
Using a cloud security posture management (CSPM) tool to automatically identify misconfigurations and excessive permissions, ensuring access to sensitive data is scoped correctly
5. Monitor and audit data access
Track and assess user access and activities around sensitive data to find anomalous activities like unauthorized access and data exfiltration. To monitor and audit data access:
Deploy continuous monitoring solutions like security information and event management (SIEM) tools for real-time visibility into who is accessing your data.
Keep detailed logs of data access and alterations to detect breaches in real time, prevent data loss, and ensure standards compliance.
6. Prioritize regular data backups and disaster recovery plans
Backing up data and creating disaster recovery plans prevents data loss and maintains business continuity in the event of a disaster, an attack, or data corruption. Here are two essential tips:
Schedule frequent backups using the 3-2-1 backup strategy: The 3-2-1 strategy refers to creating three copies of data you want to protect, storing the copies on two different storage media, and keeping one copy off-site.
Test your disaster recovery plan periodically to ensure its effectiveness: Identify implementation gaps and make sure that employees know when and how to set disaster recovery plans in motion.
7. Ensure compliance with regulatory requirements
Compliance standards are meant to help you secure customer data, and failure to comply can result in data breaches or hefty fines. To ensure compliance:
Understand the specific industry and regional regulations applicable to your business. For example, a healthcare organization with customers in California and the EU is subject to GDPR, HIPAA, and CCPA, among other regulations.
Create data access and usage policies that align with regulatory standards. To comply with standards, the healthcare organization in the previous example can implement strict access controls for doctors and other staff handling patient records.
Conduct regular compliance audits to be sure that policies, configurations, and access controls in your environment meet regulatory requirements.
8. Identify and remediate misconfigurations
Gartner forecasts that 99% of security failures in 2025 will result from cloud customer errors like misconfigurations. To keep your data safe:
Regularly scan for misconfigured cloud storage and resources like storage buckets with public access, improper access controls, and weak encryption.
Use automated configuration management tools to automate repetitive, error-prone tasks like configuring new resources. These tools detect misconfigurations in real time, minimize human errors, and prevent versioning inconsistencies.
Establish baseline configurations and enforce them consistently across your IT stack. Focus on areas like access control, encryption, firewall settings, and patching.
9. Address vulnerabilities promptly
Perform regular vulnerability assessments and penetration testing to identify and resolve risks before attacks can exploit them. You should:
Keep all systems and applications up-to-date with patches.
Use agentless vulnerability scanners to automatically uncover vulnerabilities throughout your environment, leaving no blind spots.
Use intrusion detection and prevention systems (IDPS) to catch threat actors in real time—before they can do damage.
10. Secure data in development environments
Despite containing sensitive data and secrets, data security is often an afterthought in development environments. To protect data during software development:
Scan code repositories for hard-coded secrets and sensitive data using code scanners and vulnerability management solutions.
Secure credentials like encryption keys, API keys, and tokens by storing them in secrets management solutions.
Scan CI pipelines for security risks like dependency vulnerabilities and pipeline poisoning issues using IaC security software.
Implement secure coding practices and code reviews to mitigate software vulnerabilities likely to put data at risk before software is deployed.
The Secure Coding Best Practices [Cheat Sheet]
With curated insights and easy-to-follow code snippets, this 11-page cheat sheet simplifies complex security concepts, empowering every developer to build secure, reliable applications.
Download Cheat Sheet
11. Gain full context around data risks
To detect attack paths, correlate data risks with other cloud vulnerabilities, such as network exposures, insecure APIs, misconfigurations, and lateral movement. Here’s how:
Integrate data security insights with broader cloud security operations using a DSPM as part of a cloud native application protection platform (CNAPP).
Use graph-based context risk scoring to prioritize remediation efforts, ensuring the most critical risks are resolved first.
12. Detect unusual behavior and potential threats
Continuously monitor your cloud environment for suspicious activities:
Employ user and entity behavior analytics (UEBA) that use AI/ML to spot deviations like multiple access attempts, unusual network traffic, unexpected file execution, and other indicators of compromise (IoCs).
Set up anomaly detection for data access patterns, ensuring they are instantly flagged and alerted on.
Respond swiftly to IoCs to eliminate exploitable risks and safeguard sensitive data.
13. Protect AI and machine learning data
Sensitive data is often used to train AI models to improve their output. But if it’s not properly managed, the process can put both the training data and the model at risk. To avoid this:
Discover where sensitive AI training data is, gain visibility into the data, and eliminate all associated risks.
Remove attack paths to training data to prevent threat actors from exposing sensitive data through inference attacks or from corrupting training data in data poisoning attacks.
Implement output filtering, data anonymization, and differential privacy. Output filtering prevents the AI model from revealing sensitive training data in response to user queries. Data anonymization replaces sensitive information with scrambled or masked data, and differential privacy adds noise to datasets. All these techniques keep data safe without changing the behavior of the AI model.
Implementing data security best practices with Wiz DSPM
From the data security best practices highlighted above, it’s clear that protecting data in the cloud is a complicated task. That’s why you need the right security partner to ease the process. Enter Wiz.
Here’s how Wiz protects your sensitive data:
Agentless discovery and classification of data: Wiz DSPM locates and classifies data spread across your DBaaS, Saas, IaaS, and other cloud environments—without agents. The bottom line? Wiz slashes the time and effort you’d have spent on configuring agents across multiple components, all while eliminating the risk of shadow data.
Risk assessment: Wiz understands that uncovering data risks in isolation leaves blind spots. This is why Wiz is the first and leading provider of DSPM-as-part-of-a-CNAPP, offering a combination that helps you correlate data risks with other cloud risks and visualize attack paths to sensitive data at a glance.
DDR capabilities: By scanning data with context, Wiz DSPM offers unmatched data detection and response (DDR) capabilities, consistently keeping you several steps ahead of threat actors.
Data access governance: Wiz DSPM seamlessly identifies effective permissions in your stack to help you spot entities with access to all data and resources in your environment. It also detects and removes identity risks such as excessive permissions, weak authentication practices, and more.
Automated compliance assessment: Wiz DSPM assesses your compliance with hundreds of regulatory frameworks and lets you see how compliant your stack is at a glance, using the Wiz compliance heatmap and compliance scores.
Multi-cloud support: Wiz integrates easily with various cloud providers and unifies multi-cloud data security into a single dashboard for easier management.
AI data security: With Wiz AI-SPM, you can gain complete visibility into AI pipelines and prevent data poisoning, data leakage, and other AI data risks.
The best time to start implementing these security best practices is now! Start with a free Wiz demo.
Protect your most critical cloud data
Learn why CISOs at the fastest companies choose Wiz to secure their cloud environments.
