Kevin Bogusch | Oracle Senior Competitive Intelligence Analyst | January 22, 2024
The deceptively simple definition of data egress is just “data leaving a network.” Of course, monitoring and controlling data egress has never been a simple matter. And in our modern world of ecommerce, cloud-hosted IT infrastructure, and the growing threat of cyberattacks, IT professionals and business managers alike need a nuanced understanding of data egress and its related costs and security risks.
Costs, for example, are a concern for companies with IT infrastructure in the cloud because cloud vendors typically charge for data egress, and those charges can add up. Data egress security concerns, meanwhile, center on valuable or sensitive information that may be accidentally transmitted out of the network or deliberately stolen by a threat actor who seeks to embarrass an organization or hold the data for ransom.
Reliance on the internet and mobile apps means data egress and its risks are just part of doing business. Monitoring these data flows is essential to limit financial and security threats.
Data egress refers to the information that flows out from a network—whether via email, interactions with websites, or file transfers—to cloud storage containers or other sources. This is how modern organizations communicate with one another and with customers. As businesses migrate to cloud infrastructures and adopt software-as-a-service (SaaS) applications, they consume these services via data egress and ingress as well. In fact, unless an organization operates a military-grade air-gapped network that has absolutely no connections beyond its own boundaries, information is constantly flowing in and out.
Before the arrival of the public internet and cloud computing in the early 1990s, corporate networks were generally closed or linked only to networks that were consciously chosen by an organization. Such links were made via dedicated private network lines purchased from telecommunications carriers. At the time, the risks posed by data egress were entirely tied to security—that is, the potential for sensitive information to be leaked or stolen.
Now, with most corporate networks exposed to the internet, those security risks have increased exponentially. In addition, a new cost risk has emerged because cloud service providers charge for data egress, sometimes in counterintuitive and surprising ways.
Data Egress vs. Data Ingress
The traditional concept of data egress is strictly related to data leaving a corporate network, while data ingress is commonly understood as unsolicited data coming into a network. When information is sent into the network in response to an internal request, firewalls typically let it through unhindered. To protect the organization, firewalls generally stop unsolicited data unless specific rules have been established to the contrary.
The economics of cloud computing complicate this simple model. Cloud service providers charge per-gigabyte fees for data egress but generally allow data ingress at no cost. Additionally, cloud services have introduced new concepts for data egress that, in practice, establish more types of network boundaries than the traditional corporate network perimeter. For example, with Amazon Web Services (AWS), traffic on the same virtual network often is metered and charged when moving between availability zones. Availability zones refer to cloud data centers that may be in the same geographic region but have, for instance, different network carriers and power providers that make it highly unlikely that they will fail at the same time. By distributing resources across multiple availability zones, cloud providers can minimize the impact of hardware failures, natural disasters, and network outages on their services. But though availability zones are ultimately a positive, the related egress fees can present a significant, unanticipated cost burden, especially when a business first migrates to the cloud.
Regarding monitoring and security, it’s important to profile both data ingress and egress. While unknown ingress traffic is typically blocked by firewalls, profiling that traffic can provide useful threat information for security teams. Due to the nature and prevalence of firewalls, monitoring ingress is common. However, far fewer organizations monitor data egress as carefully. Firewalling and limiting egress traffic to known targets can limit the impact of attacks and provide protection from malware.
Data egress is a constant that must be carefully managed in terms of security and cost. For example, if a business shares its product catalog on a customer-facing website, the data has to leave the internal network where the catalog is maintained and traverse the internet to reach the browser where the customer is viewing the site. Whether a business is sharing data with subsidiaries or partners or interacting with customers via the internet, there will always be some volume of data leaving the company network.
For enterprises that have moved part or all their IT infrastructures into the cloud, any data movement may incur cloud data egress costs depending on their provider and the design of their applications.
Beyond the expense, data egress also poses the risk of exposing sensitive data to unauthorized or unintended recipients. Organizations must monitor for malicious activities from external threat actors while watching out for internal attacks such as data exfiltration by insiders. Protecting an organization against these attacks requires a comprehensive approach that includes a solid network design, continuous monitoring, and properly configured cloud application architectures. Typically, organizations will limit data egress using firewalls, monitoring outgoing traffic for anomalies or malicious activity. IT security groups may also take steps to restrict high-volume data transfers and block specific outbound destinations.
Effective monitoring requires an in-depth understanding of normal traffic patterns and how they differ during an attack or data exfiltration incident. It can also present a real challenge for IT organizations. The most common way to monitor data egress traffic is to review and analyze log files from network devices at the edge of cloud or on-premises networks. The sheer volume of traffic from those devices, however, makes this an arduous task for administrators. Many firms use security information and event management (SIEM) tools to better understand threats. SIEM tools typically include intelligence around known threat patterns, regulatory compliance, and automated updates to adapt to new threats. While implementing SIEM systems isn’t a simple process, doing so can improve an organization’s understanding of data egress patterns, enabling security teams to identify attacks much earlier.
For example, a sudden surge in data egress could indicate a data exfiltration attack, where a threat actor exports large amounts of data to an external host or service. Likewise, careful monitoring and control of data egress patterns can help identify malware that’s already present within a corporate network as it tries to seek further instructions from its command-and-control network. Many modern ransomware attacks attempt to exfiltrate large volumes of data to extort funds from an organization before encrypting that data. Tools including DLP, network traffic analysis systems such as packet sniffers, and user behavior analytics to detect abnormal patterns can help IT detect exfiltration. Egress filtering, where IT monitors outbound traffic and blocks traffic deemed to be malicious, helps mitigate these risks too.
Beyond firewalls, organizations also use DLP software to protect against data exfiltration. These tools employ techniques such as cataloging and tagging data with sensitivity labels, encryption, and auditing to keep sensitive data from leaving the network.
As well as driving up cloud costs, substantial data egress can indicate several types of threats, including a data exfiltration attack by a threat actor or malware moving laterally within a corporate network via subnet communications.
Organizations can mitigate the security risks around data egress in a number of ways, such as realigning cloud services to limit outbound traffic. The following seven best practices are used by many organizations to better control and manage data egress security risks:
Note that these practices aren’t separate one-off solutions; rather, they depend on each other. For example, the data categorization element of DLP and the creation of an egress policy would both inform firewall configurations and access-control settings.
Data egress charges can lead to some costly surprises early in an organization’s cloud migration process, so it’s important to monitor cloud data egress costs daily to ensure they’re within budget—and to investigate if they aren’t. All public cloud providers support alerts tied to spending, so data egress costs can be monitored just like a virtual machine’s CPU utilization. However, monitoring is only the first step in reducing the cost of cloud data egress. Here are a few tips for lowering egress costs in cloud applications.
While these changes may require a significant one-time investment to implement, they can ultimately lower recurring cloud bills, resulting in a strong return on the initial cost and better cloud cost management. If data egress fees make up a large portion of your organization’s cloud costs, prioritizing these changes over other engineering projects could be a net win.
Different cloud providers charge different amounts for data egress. Even with a single cloud provider, data egress pricing models can vary across individual services. Reducing the complexity and overall cost of data egress were among Oracle’s top considerations when building Oracle Cloud Infrastructure (OCI). By following these principles from the start, Oracle has been able to offer global pricing for several cloud services and far lower data egress costs than other providers—including Amazon Web Services (AWS) and Google Cloud.
OCI’s lower data egress rates enable enterprises to move significant volumes of data between cloud regions, either internally or to their customers. For example, OCI customers in North America and Europe would pay US$783 for 100 terabytes (TB) of outbound data to locations on the public internet, compared with around $8,000 for AWS and Google Cloud users. Customers that purchase an OCI FastConnect 10-gigabit-per-second dedicated private line pay a flat rate of $918 per month for unlimited data egress; assuming a 50% utilization of that line (1,620 TB transferred), the equivalent cost over an AWS Direct Connect private line would be $34,020.
OCI data egress pricing is a big differentiator for organizations building cloud services that require large amounts of bandwidth. Large-scale apps that take advantage of these rates include live video streaming, video conferencing, and gaming.
To assess what your organization’s data egress and other cloud costs would be as an Oracle Cloud customer, use the OCI cost estimator.
Unfettered data egress can pose both a security and a financial risk to organizations. Deploying a non–cloud native or poorly designed application in the cloud can lead to unchecked data egress costs and inadequate security that puts organizations at risk of data exfiltration and ransomware attacks.
As such, it’s important to restrict, fortify, and monitor outbound traffic from a company network. In short, organizations need to control where their data can travel and look out for any anomalous patterns. Best practices for network security organizations include implementing a good incident response plan and employing SIEM and DLP technologies. In addition, choosing the right cloud provider for their requirements and designing or re-architecting applications with data egress costs in mind can contribute significantly to an organization’s cloud ROI.
AI can help CIOs analyze data to optimize cloud spend and suggest code tweaks to architect to minimize egress. Learn how to harness the power of artificial intelligence now to address talent, security, and other challenges.
What is data egress cost?
In addition to the cost of compute and storage resources, cloud providers also meter and bill for data egress. While these costs can vary by cloud provider, they are typically charged on a per-gigabyte basis for data that travels between cloud regions, availability zones, or to the internet or on-premises networks. Data egress fees can also differ based on the target location and cloud provider. They can be reduced by compressing data, leveraging content delivery networks, and colocating data to limit cross-region traffic.
What is egress in cloud computing?
Egress is defined as data that goes from one network to another, but the term takes on further complexity in cloud computing. With virtual machines and networks, standard network traffic between cloud regions or availability zones is considered data egress. Additionally, data that travels from the cloud back to on-premises networks or the internet is also metered as data egress.