Cheat Sheet

Data security

best practices
Companies today must protect their most sensitive information.
With the rapid growth of cloud data storage, they face
increasingly sophisticated threats, making it critical to establish
robust security measures to safeguard data against breaches,
unauthorized access, and malicious attacks.

As cyber threats evolve, cloud data security requires an adaptable approach that includes encryption,
access control, and continuous monitoring. However, achieving data compliance and proper governance
in complex cloud environments is challenging. The widespread use of multiple cloud platforms can lead
to data sprawl and visibility issues, making tracking and securing information across various
environments difficult. As a result, implementing robust data access governance and utilizing automated
tools to streamline security and compliance management becomes essential.

This cheat sheet offers data security best practices for protecting sensitive data in cloud environments.
Covering topics like data classification, encryption, compliance, and real-time monitoring, these
strategies will help organizations enhance their security posture, ensuring data detection and response
efforts are proactive and effective.

Understanding data security risks

Data security is constantly at risk from numerous threats, including data breaches and unauthorized
access attempts by both external attackers and internal employees.

Insider threats, either through intentional or accidental actions, can be devastating. Additionally, malware
and ransomware attacks have grown increasingly sophisticated, using social engineering or exploiting
system vulnerabilities to infiltrate environments and encrypt or steal data.

Experiencing a data breach can mean extensive setbacks in terms of your finances, operations, and
reputation. The costs associated with investigating breaches, notifying affected customers, handling legal
repercussions, and restoring services make data breaches a top concern for any security strategy.

Cloud environments also introduce complex attack vectors. Misconfigurations in storage buckets,
excessive permissions, unencrypted data, and unmonitored endpoints increase vulnerability. For
example, AI data exposure in the cloud—where vast data sets are used to train machine learning (ML)
models—poses risks of sensitive data being unintentionally included or exposed. Without comprehensive
tools to track and protect this data, organizations face potential non-compliance and data loss.

© Wiz Inc. All Rights Reserved. 1

11 essential data security best practices
To effectively safeguard sensitive data in cloud environments, organizations need to implement several
key strategies.

1 Define and discover sensitive data

Knowing where sensitive data resides is foundational to any data security strategy. Companies need to
first define what is meant by “sensitive” based on their compliance needs and business risks; the data
concerned will include categories like personally identifiable information (PII), protected health
information (PHI), and payment card industry data (PCI).

DSPM solutions offer automated data discovery, identifying sensitive data across storage buckets,
databases, and SaaS based on custom or regulatory compliance definitions such as GDPR and HIPAA.

2 Classify and label data

Classifying data according to its sensitivity level ensures appropriate handling and access restrictions.
Implementing a data classification framework with public, internal, confidential, and restricted data
categories makes monitoring, controlling, and auditing data easier:

Classification level Description Access control recommendations

Public Data intended for general use Minimal restrictions; make sure to
track access events
Internal Non-public, internal information Role-based access; monitor
access logs
Confidental Sensitive data with privacy Limited to authorized roles;
concerns enforce MFA
Restricted Highly sensitive or regulated data Least-privilege access; encrypt
and log all access

Data governance tools can enforce policies and streamline data discovery by assigning metadata tags
and labels. Continuous classification across cloud platforms helps ensure no sensitive information goes
undetected, providing ongoing protection against accidental data exposure.

3 Encrypt data at rest and in transit

Data encryption prevents unauthorized parties from reading sensitive data. Encryption algorithms like
AES-256 offer high-level protection for data at rest without performance suffering any major hit.

For data in transit, use protocols like TLS (transport layer security) or SSL (secure sockets layer) to
safeguard data as it moves across networks. Encryption key management is crucial since compromised
keys can nullify encryption efforts. Hardware security modules (HSMs) are recommended for secure key
storage, giving you an additional layer of physical and cryptographic protection.

© Wiz Inc. All Rights Reserved. 2

 4 Implement strong access controls
Access control mechanisms should enforce least-privilege access, limiting permissions based on an
individual's role and responsibility. Role-based access control (RBAC) is widely used to define access
based on attributes such as job title, department, or location.

Multi-factor authentication (MFA) strengthens access controls even further by validating parties only
after multiple forms of ID have been presented. Identity and access management (IAM) solutions in
cloud platforms can automate and track permissions, while a DSPM integrated with a CIEM tool can
provide complete visibility into effective permissions in the cloud. The solution should also detect
identity risks such as excessive privileges, admin permissions, or inactive users and offer remediation
guidance to scope down permissions.

5 Ensure compliance with regulatory requirements

Committing yourself to GDPR, CCPA, or other regulations means avoiding hefty fines, not to mention
building customer trust.

Compliance automation tools or a DSPM solution can track relevant controls and map them to cloud
policies to align with regulations and continuously assess compliance posture against them. Compliance
audits validate adherence to standards by examining data storage, access controls, and monitoring
practices.

6 Identify and remediate misconfigurations

Misconfigurations are among the most common causes of cloud security incidents, particularly in
storage services, as they can lead to critical risks such as accidental exposures or breaches.

Automated configuration scanning tools like CSPM tools offer continuous monitoring and can be
configured to alert when resources deviate from established baselines. Configuration management tools
like Terraform can enforce secure configurations as code, which helps maintain consistent settings
across your system.

7 Address vulnerabilities promptly

Regular vulnerability assessments and patch management are critical to data security.

Agentless vulnerability management tools can scan cloud-native resources without requiring software
installation, reducing blind spots. Automated patch management systems streamline updates, ensuring
vulnerabilities are quickly addressed. Consistently auditing for vulnerabilities helps mitigate threats
before they can be exploited.

8 Secure data in development environments

Development environments often contain sensitive data used for testing purposes. To avoid
unintentional exposure, scan repositories for hard-coded secrets and sensitive information. A DSPM tool
provides data discovery and classification in code repositories to remove risks early on.

Secure coding practices and code reviews are essential, as are secret and data scanning solutions, which
centralize and protect sensitive data.

© Wiz Inc. All Rights Reserved. 3

 9 Find complex attack paths to data with context
Data security risks typically correlate with other risks in your cloud. Solutions integrating graph-based
analysis can map complex relationships between data, networks, permissions, misconfigurations, and
workloads.

Data security posture management (DSPM) tools provide context by correlating data risks with cloud
context, allowing security teams to prioritize high-impact attack paths to data. This helps organizations
prioritize the data risks that actually matter by focusing on critical toxic combinations.

10 Monitor for unusual data access

Continuous monitoring of data access and modifications helps detect suspicious activities early.

DSPM tools analyze log access events, identifying unusual data access patterns, such as bulk downloads
or access attempts from unknown locations. These tools provide support auditing by retaining access
logs that meet compliance requirements.

Automated alerts for unauthorized access attempts further enhance security by ensuring timely
responses to potential threats.

11 Protect AI and ML data

Data sets used for AI model training are often large and can contain sensitive information.

Protecting these datasets requires gaining visibility into the training data in the environment and
scanning for sensitive data and any data risks. DSPM tools extend to AI pipelines to provide data security
posture capabilities for training data, allowing secure adoption of AI into the environment.

Leveraging DSPM
Data security posture management tools offer automated data asset discovery and classification, as well
as proactive data risk assessments and continuous monitoring. They also integrate with security
workflows, unifying data security and real-time compliance insights into a single pane of glass.

Wiz's DSPM platform offers visibility and context-aware risk prioritization across cloud environments,
continuously discovering and classifying data, assessing risks, and enforcing data governance policies.
The platform also works seamlessly with cloud providers, helping organizations address data security
gaps.

DSPM strengthens security postures and enables quicker responses to emerging risks while reducing the
demands on security teams.

© Wiz Inc. All Rights Reserved. 4

Conclusion

To safeguard against breaches, organizations must invest in proactive cloud data security measures,

including automation, monitoring, and compliance. Adopting these best practices helps protect data

integrity and customer trust.

With its advanced DSPM solutions, Wiz enables organizations to simplify complex security environments,

offering streamlined data protection and compliance capabilities.

Register for a demo and see Wiz DSPM in action today.

Actionable checklist
Define sensitive data specific to your organization

Classify and label data

Ensure encryption for data at rest and in transit

Enforce strong access controls, such as MFA

Establish regular backup routines and test recovery plans

Adhere to all relevant regulations

Regularly scan for and fix misconfigurations

Perform frequent vulnerability assessments

Secure development environments and code

Remove attack paths to data based on cloud context

Monitor and set up alerts for unusual data access

Secure AI training data

Utilize DSPM tools for comprehensive data security management

Wiz DSPM helps organizations discover and protect their critical data in
the cloud with agentless visibility into where sensitive data is, who can
access what data, and attack paths to critical data. See how today.

Get a Demo

Data Security Best Practices 5