Full Report
As we celebrate Data Privacy Day, Bernard Montel, Tenable’s EMEA Technical Director and Security Strategist, wants to remind us that we live in a digital world and that we need to protect it. With data breaches a daily occurrence, and AI changing the playing field, he urges everyone to “do better.”Launched in April 2006 by the Council of Europe, Data Protection Day – or Data Privacy Day, as it’s known outside of Europe – is celebrated globally every year on January 28. Back in 2006, around 100 million records were compromised across various breaches in the U.S., according to data collated by Privacy Rights Clearing House. But in 2024, in just one data breach suffered by National Public Data (NPD), approximately 2.9 billion records were allegedly stolen.Collectively, we have to do better. The lifeblood of the organizationData is the essence of every company. It’s information about your customers, your employees, your intellectual property, your financial performance and more. Data also fuels innovation in the cloud. However, the volume and complexity in hybrid and multi-cloud environments make it increasingly complex to secure your business’s data. Externally, data breaches can lead to mistrust and brand damage, as well as to lawsuits, fines and lost business. Internally, they can – and should – trigger increased scrutiny from the board, which will justifiably question the strength of the organization’s security posture. When AI comes marching inWith data at the heart of everything, AI has completely changed the playing field this Data Privacy Day, adding a further layer of risk when it comes to protecting our information. Organizations face the complex task of controlling AI deployment usage while also identifying vulnerabilities within AI tools and AI development packages. The adoption of AI increases the volume and variety of cloud data. In tandem, as AI applications become more sophisticated, they require more training data to learn from and function effectively. Thus, protecting cloud data is paramount to maintaining the integrity and security of your business’s AI usage.Externally, threat actors are also looking to supercharge their activity with AI. It has been well documented how attackers are leveraging AI to write more sophisticated and effective malware for ransomware attacks, as well as to enhance phishing scams and more. You can’t have privacy without securityTo take advantage of the unique opportunities offered by the cloud and AI, you must address the full spectrum of security responsibilities that accompany collecting, storing, and using data. These responsibilities include automatically and continuously scanning data assets, discovering and monitoring sensitive data, and alerting on any potential risk.Protecting data in public cloud environments starts with three steps:Know your cloud resources. You must discover the compute, identity and data resources in your cloud and get contextualized visibility into how critical resources are accessed.Expose critical cloud risks. It’s critical to gain the context you need to focus on the priority risks caused by the toxic combination of misconfigurations, excessive entitlements, vulnerabilities and sensitive data.Close cloud exposures. It’s essential to reduce cloud risk by closing priority exposures with top speed and surgical precision – even if you only have five minutes to spare.Let’s look at how the integration of data security posture management (DSPM) into a cloud native application protection plaform (CNAPP) can give you a comprehensive view of your cloud data and the risks associated with it. DSPM is a set of ongoing processes and technologies that provides visibility into where sensitive data is stored, who has access to it, and how it's being used across your systems, providing analysis of the overall security posture around data itself, rather than just the infrastructure hosting it. Meanwhile, CNAPP solutions replace a patchwork of siloed products that often cause more problems than they solve, such as multiple false positives and excessive alerts. Those individual products usually provide only partial coverage and often create overhead and friction with the products they’re supposed to work with. Most importantly, CNAPPs allow businesses to monitor the health of cloud native applications as a whole rather than individually monitoring cloud infrastructure and application security.When DSPM is integrated into a CNAPP, it empowers the security team to obtain actionable data context that helps the team better prioritize risks and reduce the organization's exposure to customer data breaches and the compromise of AI resources and intellectual property. How Tenable can helpWith Tenable Cloud Security, you can reduce risk by rapidly exposing and closing priority security gaps caused by misconfigurations, risky entitlements and vulnerabilities – in one powerful CNAPP. With integrated DSPM capabilities, Tenable Cloud Security continuously monitors your multi-cloud environment to discover and classify data types, assign sensitivity levels and prioritize data findings in the context of the entire cloud attack surface. At Tenable, we help you identify your weaknesses, detect your gaps and close your exposures quickly. This Data Privacy Day, do better by taking action to protect the data that your organization relies upon to function and that you’re trusted to protect, wherever it resides.Learn moreWebinar: Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?Blog: Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI ResourcesData Sheet: Data Security Posture Management (DSPM) Integrated into Tenable Cloud SecurityData Sheet: Securing AI Resources and Data in the Cloud with Tenable Cloud SecurityVideo: Demo Video: Data Security Posture Management and AI Security Posture Management
Analysis Summary
# Best Practices: Cybersecurity in the Age of AI and Cloud Complexity
## Overview
These practices address the increased complexity in data privacy and security introduced by the widespread adoption of Artificial Intelligence (AI) technologies and expanding cloud environments. The focus is on managing the resulting expanded attack surface and data exposure risks.
## Key Recommendations
### Immediate Actions
1. **Perform comprehensive asset discovery and inventory:** Immediately map all cloud assets (including SaaS, IaaS, PaaS) and identify where sensitive data resides to establish baseline visibility.
2. **Implement foundational Cloud Security Posture Management (CSPM):** Deploy tools to continuously monitor cloud configurations against established security benchmarks to identify immediate misconfigurations leading to exposure.
3. **Verify and enforce strong Identity and Access Management (IAM) controls:** Audit standing privileges for both human and non-human identities across cloud environments, removing excessive or unnecessary permissions.
### Short-term Improvements (1-3 months)
1. **Establish continuous Attack Path Analysis:** Use integrated platforms to model potential attack paths that leverage vulnerabilities and misconfigurations across IT infrastructure, cloud, and identities.
2. **Adopt Cloud Infrastructure Entitlement Management (CIEM):** Implement CIEM capabilities to continuously monitor and right-size permissions for cloud identities, shifting from broad permissions to the principle of least privilege.
3. **Integrate vulnerability management with patch management workflows:** Shorten the Mean Time To Remediate (MTTR) by automating the coordination between vulnerability identification and patch deployment across enterprise and cloud assets.
### Long-term Strategy (3+ months)
1. **Develop an integrated Exposure Management Strategy:** Adopt an Exposure Management Platform approach that unifies visibility across Vulnerability Exposure, Cloud Exposure, OT/IoT Exposure, and Identity Exposure for holistic risk reduction.
2. **Automate Security Governance for AI/ML Environments:** Establish automated checks and guardrails within the CI/CD pipeline (shifts left) to ensure AI model training data, deployed models, and associated infrastructure comply with privacy and security standards.
3. **Enhance reporting for business risk communication:** Implement metrics and reporting mechanisms that translate cyber findings (vulnerabilities, misconfigurations) into quantifiable business risk metrics relevant to executive stakeholders.
## Implementation Guidance
### For Small Organizations
- **Focus on SaaS Security:** Prioritize securing the most commonly used cloud services (e.g., M365, G-Suite) through automated configuration checks and strong multi-factor authentication (MFA).
- **Utilize native cloud security tools:** Leverage built-in security features provided by major cloud vendors initially, supplementing with essential point solutions for vulnerability scanning (e.g., Nessus Expert).
- **Prioritize remediation based on business impact:** Since resources are limited, focus remediation efforts on critical assets explicitly containing regulated or sensitive data, informed by unified risk scoring.
### For Medium Organizations
- **Implement a unified vulnerability management system:** Deploy a central platform (like Tenable Security Center) to aggregate findings from cloud, on-premise, and web applications, enabling cross-environment analysis.
- **Introduce Just-in-Time (JIT) Access:** For high-value cloud resources, limit standing access by deploying JIT access controls, requiring temporary, pre-approved permissions for operational tasks.
- **Establish baseline compliance monitoring:** Set up continuous monitoring against common industry frameworks like CIS Benchmarks for primary cloud service providers.
### For Large Enterprises
- **Mandate comprehensive Exposure Management:** Deploy a full Exposure Management Platform to gain unified visibility across the entire attack surface (IT, Cloud, OT/IoT).
- **Develop automated remediation playbooks:** Create and test automated responses for common high-severity cloud misconfigurations identified via CSPM/CIEM tools.
- **Formalize Open Source Security Governance:** Implement tools to discover and manage security risks associated with open-source components used in custom cloud applications or AI pipelines.
## Configuration Examples
*Note: Specific configuration details (like exact CLI commands or console paths) are not provided in the source text, but the necessary tooling categories are defined.*
| Component | Best Practice Configuration Focus | Supporting Tool Category |
| :--- | :--- | :--- |
| **Cloud Identity** | Enforce least privilege via permissions boundary enforcement and routine entitlement review. | CIEM (Cloud Infrastructure Entitlement Management) |
| **Cloud Workloads** | Ensure infrastructure-as-code templates are scanned for misconfigurations before deployment. | CNAPP/CSPM |
| **Vulnerability Management** | Configure asset scanning agents to report findings in near real-time to a central risk exposure dashboard. | Vulnerability Management Platform |
| **Access Control** | Implement time-bound access requests for sensitive operational roles over standing access. | Just-in-Time (JIT) Access Controls |
## Compliance Alignment
The practices inherently support compliance objectives across several standards by focusing on visibility, risk reduction, and adherence to secure configurations:
- **NIST Cybersecurity Framework (CSF):** Addresses Identify, Protect, and Detect functions through asset management, configuration management, and continuous monitoring.
- **ISO 27001/27002:** Governs controls related to asset management, access control, and operational security management.
- **CIS Benchmarks:** Continuous monitoring of cloud environments aligns directly with CIS configuration assessment requirements.
- **SLCGP Requirements:** The need to streamline security and IT collaboration and shorten MTTR is directly supported by adopting integrated patch management and exposure management solutions.
## Common Pitfalls to Avoid
- **Treating Cloud Security as Traditional Security:** Failing to recognize that identity and configuration are the new perimeter in cloud environments, leading to insufficient focus on IAM and CSPM.
- **Data Silos in Risk Reporting:** Allowing vulnerability data, cloud configuration data, and identity risk data to remain separated, which prevents accurate attack path modeling and prioritization.
- **Ignoring Non-Human Identities:** Over-focusing on human user access while allowing legacy service accounts or overly permissive roles associated with automated cloud processes to persist unchecked.
- **Static Assessments:** Relying solely on periodic scans rather than implementing continuous, dynamic assessment tools for cloud posture and emerging threats.
## Resources
- **Exposure Management Platforms:** Utilizing vendors offering unified solutions covering Vulnerability, Cloud, OT/IoT, and Identity Exposure.
- **Cloud Security Posture Management (CSPM) Tools:** Essential for continuous compliance verification against cloud benchmarks.
- **Cloud Infrastructure Entitlement Management (CIEM) Tools:** Necessary for managing the complexity of cloud permissions at scale.
- **Vulnerability Assessment Tools:** Solutions for deep scanning across IT and cloud boundaries (e.g., Tenable Nessus/Nessus Expert).
- **SLCGP Documentation:** For organizations adhering to requirements related to streamlining remediation efforts.