Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis named a Leader in The Forrester Wave™: Data Security Platforms, Q1 2023

Read the report

Building a Cloud Security Program From the Ground Up

2 min read
Published July 17, 2023
drive in the cloud being hacked, illustration

Building a cloud security program from scratch can be daunting. How do you get started, and what should your first steps be? There’s no one-size-fits-all approach to cloud security, but for those looking to form a solid program foundation, we've laid out a blueprint below to help guide you through the steps and get you off to a strong start.

1. Take an org-wide cloud app inventory.

There are a couple of ways to do this. Determining the sanctioned applications your team uses can be as simple as sitting down with the finance team. They can comb through cloud vendor contracts, purchase orders, etc., to locate SaaS or IaaS offerings your company has a formal relationship with.

To pinpoint unsanctioned applications, you’ll need to go a different route. This involves a little detective work with your network traffic team. Asking questions like, “What are the top 20 places our company is sending network traffic to daily?” can reveal both Bob in accounting’s Netflix habit and his public GitHub repository.

2. Perform a risk assessment.

Once you’ve determined the cloud applications and services your company uses, the next step is to measure the overall risk of working with these various cloud providers. You want to answer the question, “What would be the business impact of a potential data breach?”

Ranking each app on a score of high, medium, or low is an effective way to determine the risk rating of each app — which ones would be the most damaging in the wrong hands. Take Salesforce, for example: the popular CRM app houses sensitive information, regulated data, business-critical information, and deal room data. This would certainly warrant a “high” rating.

On the other hand, an application used to publish social media posts isn’t be as critical as an app that stores personal identifiable information, such as social security numbers or dates of birth. Those types of apps can be ranked as “medium” or even “low.”

Get started with our world-famous data risk assessment.
Book your free assessment

3. Determine your security posture.

After you’ve established an inventory of your cloud apps and assessed the overall risk, you’ll want to perform a security posture review of each application. By working with each app’s “owner” or admin in the company, you can get a better idea of each app’s settings, the configurations for each one, and identify the strength of your current security posture.

From there, you can perform a more in-depth analysis, asking yourself questions like, “Is this the security posture I want? Should I be making changes to these settings?” or even, “Is there over-permissioned access to data and resources at our company?”

4. Automate, automate, automate.

Now that you’ve built out your inventory, completed your risk rating, and are trying to determine what to tackle first or where to task your team’s focus, you’ll quickly learn the importance of using automation. The steps you’ve completed thus far are not a set-it-and-forget-it model; your work will be all for naught without continuous monitoring and updating.

However, constantly maintaining these cloud apps would require an entire team of people to support the efforts of inventorying, assessing risk, and controlling security posture in your SaaS applications. That’s why automating these tasks is key to protecting the data within these cloud apps without overburdening your security team.

5. Don’t forget about compliance.

By performing the tasks above, you’ll achieve a solid cloud security program that will give you a leg up when it comes to internal and external audits. You’ll be able to show compliance with regulations that require you to have a deep understanding of both the inventory of the data you have as well as the risk and security posture that exists in your cloud technology stack.

As you build your cloud security program from scratch, you’ll begin to see the need for continuous monitoring and detection. By embracing automation, you’ll be equipped to keep tabs on third-party application risks, prepare for compliance audits, and stay ahead of security risks across the cloud.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
How to Protect Your Cloud Environment From Today’s Top 5 Threats
Learn the top five cloud threats after your sensitive data and how to protect your organization from them.
Is Your Data Insider-Proof? Five Steps To Keep Your Secrets Safe
This article explains the five steps you can take to see how prepared you are for a nefarious insider or an outside attacker that compromises an insider's account or computer.
Building a Cloud Security Program From the Ground Up
There’s no one-size-fits-all approach to cloud security, but Varonis has laid out a blueprint to help guide you through the steps and start off strong.
What Automation Means For Cybersecurity—And Your Business
This article explains how automation can help turn the right information into action, helping to defend against cyberattacks, mitigate risk, shore up compliance and improve productivity.