There are many benefits to be gained by using the public cloud. Cost efficiencies, elasticity and collaborative access are mentioned most often. But will your data be secure in the cloud? And who is responsible for keeping it safe? These topics bear further exploration.
For small organizations – typically those that can’t justify adding someone with ‘security’ in their title to the team – outsourcing to a cloud service provider (CSP) may be more secure than trying to build and maintain their own data center. But for larger companies, especially organizations that must comply with privacy regulations like HIPAA/HITECH or PCI DSS, ensuring and validating data privacy can be more challenging in a public cloud environment.
One of the big questions you should ask before moving data to a CSP is ‘Do I care if anyone sees this data, and if so, from whom do I want to protect it?’
Those with malicious intent: Hackers, overzealous competitors, or even CSP insiders have much to gain in your cloud. Most cloud infrastructures are highly virtualized, providing a very concentrated environment that co-mingles data from many different organizations, which becomes an attractive target.
Those who are unintentionally dumb: Hanlon’s razor says ‘Never attribute to malice that which is adequately explained by stupidity.’ Cloud infrastructure is immense and complicated, and mistakes happen. A simple misconfiguration can leave data exposed.
Those who carry a big stick: As Edward Snowden recently revealed, the government has also recognized that CSPs are a rich target for data. CSPs have cooperated fairly extensively with these requests, usually without notifying the data owner. While most organizations aren’t hosting data in the cloud that might get them in trouble, it still seems to be the general consensus we don’t want unauthorized people poking around our data.
Now the next question becomes, what is the best way to secure data in the cloud? Clearly, there are different types of ‘cloud.’ Infrastructure as a Service may need different tools than Software as a Service applications. Other considerations include what type of data you need to secure. Is it structured? Unstructured? All of the above?
The Cloud Security Alliance publishes a useful document that offers security guidance for cloud computing. Chapter 5, in particular, offers many good ideas for how to securely migrate to the cloud, as well as ways to secure data until it can be securely decommissioned.
Who bears responsibility?
Perhaps the most important question you must ask is ‘who should be responsible for the security and privacy of my data?’ While nothing exists in a vacuum, my answer to this question is resoundingly ‘YOU!’
As Gartner recently pointed out, most cloud service provider contracts are inadequate. While CSPs have invested extensively on availability and disaster recovery, they often ignore data privacy, integrity and breach remediation in their service level agreements (SLA).
Even if an SLA includes some security commitments, the issue of data access by privileged insiders is still a concern. It’s simply not enough to trust data privacy to your CSP. Google recently announced that it will encrypt stored client data for free – but noted that it will also manage and maintain the encryption keys. From a security perspective, that is a red flag.
Encrypting your data in the cloud is a great idea – but make sure you keep and maintain the encryption keys. This way, if the government comes knocking on the CSP’s door looking for your data, your prospective visitor will have to come to you directly if they want to decrypt it.
What to do?
When you boil it down, there are two key actions you need to take to ensure data privacy in the cloud.
Read your SLA. Make sure you know what your cloud service provider will commit to securing, and what they won’t. The latest draft of the Payment Card Industry Data Security Standard that was released for review last week emphasizes exactly this point. The handoff between you and your CSP is especially critical.
- BYOS. Bring your own security. Even if your service provider offers security capabilities like encryption, don’t just take them at face value. As we’ve recently learned, it is certainly possible for government organizations or hackers to insert technology that can bypass CSP encryption. (See also: Regardless of the NSA, you still need encryption.)
In short, if you are going to the cloud, bring your own security. You encrypt the data. You hold the keys. You maintain control.