Cloud security is not just a popular topic these days, it could be the storyline for the next Tom Cruise movie. In just a few months, we’ve seen disclosures by a whistle-blowing former NSA spy, user errors that exposed over 126 billion files, and words like ‘encryption’ making their way into local evening news broadcasts.
Yet while there has been much discussion around how to secure your data once it’s in the cloud, perhaps we should take a step back. We need to start with how to securely migrate your data to the cloud in the first place.
Migration to SaaS
Clearly, there is risk in moving your applications and data from a presumably secure data center into the hands of a cloud service provider (CSP). If you’re using software as a service (SaaS) or other cloud applications, you should ensure that any link used to connect or upload information into your infrastructure is secured through SSL or similar protocols. There are also encryption gateway products that encrypt data before it leaves the data center and migrates to SaaS environments such as Salesforce. Of course, it’s also a good idea to understand your providers service level agreements (SLA) and agreements around security. By asking questions about their encryption guidelines and protocol on authorizing access, you will have a better idea of whether this particular CSP has the same standards of security that you need and expect.
Migration to IaaS
Organizations using Infrastructure as a Service (IaaS) have potentially even greater exposure. Most IaaS run on virtualized servers, as they are far easier to spin up and decommission than physical hardware. Plus, service providers have far better control for load balancing and scalability. So let’s explore the options available for moving data in and out of virtual machines in the cloud:
- See what your service provider can offer. There are many cloud and DR companies that offer the ability to securely migrate your data or VMs to the cloud. Consult with your services provider to see how they can help.
- Database replication. Most of the enterprise database vendors support database replication. Since the databases may not be physically next to each other many of the vendors have solved the security issues around migrating data between multiple instances. Depending on the vendor, this may also require a VPN connection between your data center and your VMs in the cloud.
- Secure FTP / SSH. Establishing a secure channel between a server in the data center and a server in the cloud is not hard. Linux/UNIX servers support SSH by default and there are SSH servers for Windows servers too. You may or may not choose to manage SSH key pairs to simplify the process.
- Homegrown tools to move unstructured data. This is where things get complicated. Unstructured data has many forms, and moving it securely can be like trying to put a very large octopus into a very small tank. There are a myriad of solutions available, often home-grown, using openSSL or other such tools. Zip up some files, encrypt them using openSSL, migrate them and reverse the operation at the other end.
A challenge with many of these approaches is that they are not always scalable for enterprise use: different administrators are managing passwords, SSH key pairs, and so on. You may have one solution for securing your data at rest in the cloud, one for backups and another for data migration. Got a headache yet?
Cloud security is still top of mind despite the number of organizations moving their data to this new infrastructure. Here’s a common scenario that I come across: IT wants to migrate data to cloud storage that can then be accessed by servers. For example, let’s look at Amazon AWS. They already have excellent interfaces for accessing storage like S3 and Glacier. It’s pretty easy to stuff some files in an S3 bucket, which you can subsequently access from your VMs. And you can just reverse the operation to pull the data back out again. Easy huh? Well, yes it is -- but can you do this securely?
It seems to me that if you already have a key management solution in place for protecting your data in the cloud, shouldn’t that system also provide the capability of allowing you to securely migrate data to and from the cloud too? I can define a set of VMs that can access specific sets of data (and no other VMs.) I then encrypt data and move the data between the VMs, through S3, Glacier or other cloud storage. I’m confident that no one else can access the data at any point in the process because I hold the keys.
Clearly, solutions for cloud security are still evolving. I’ve written before about some ways that you can take control of your data, even when it is hosted by a cloud service provider. What do you see as the next big challenge to tackle in building a secure cloud?