The Problem With Securing Cloud Data
Security was already a complex topic. Then the cloud came along. The cloud, in any of its forms, offers an attractive price and performance alternative to the traditional data center. In some cases, it may even replace IT implementations altogether. Nevertheless, the cloud will have to support the same IT processes, services and best practices galvanized by years of experience running IT organizations. This is particularly true for data security and compliance services.
While clouds present an optimistic and attractive model for IT, there is a key caveat: Clouds offer different levels of ownership and outsourcing, which greatly complicate our approaches for ensuring data security. Data is the most critical asset for a company, but now it may be sitting in cloud data environments that are out of the enterprise’s control.
Think about how worried you are when the data is in your data center, managed by people you know. With the cloud, you might not even know where the servers are, who is sharing them, who is managing them or what processes are in place to protect them. The obvious question becomes, “What considerations should I make to protect my data so my organization can move securely and confidently to the cloud?”
Before starting, consider the best approach to protecting your data in general, and then ensure that those precepts are followed in the cloud environment.
A Risk-Based Approach
First, you need to understand your data. Not all data is the same, and you must allocate appropriate resources to the most important information. In terms of security, you need to reduce the risk faced by that critical data. There are two important dimensions to this effort:
- Business value: How frequently is the data used to run the business and by whom (e.g., a pricing and discount table used daily by pricers)?
- Risk: How sensitive is the data and what exposures does it have (e.g., is it on a server with default passwords)?
The answers to these questions will help determine the relevance of the data and how you need to specifically treat it in its life cycle, especially for security and compliance.
An ideal way to do this is through automatic discovery tools that show you where your sensitive data is, who has access to it and how risky it can be. Armed with this knowledge, it becomes easier to choose how to mitigate the risk with the right tools, such as encryption, masking, archiving, deleting and even tightening access control rules.
The final step is to continue to monitor access to your sensitive data in order to maintain a tolerable risk level, especially against misuse or abuse of privileged access.
Three Environments for Cloud Data
Cloud service providers (CSPs) can offer customers different levels of control or convenience with regard to the services they provide. To apply the risk-based methodology to the cloud, you need to consider the three main environments.
Infrastructure-as-a-service (IaaS) is where the CSP manages the virtual and physical foundation. The end customer can control all other components up to the application layers. This may be the simpler scenario to support for data security because the same on-premises security controls — such as discovery, classification, vulnerability assessment, encryption, masking, monitoring, auditing and blocking — can be applied.
Platform-as-a-service (PaaS) is where the CSP additionally manages the middleware and runtime. The end customer only has control over how to manage the data and the application. New data-as-a-service options offer customers access to shared virtual database space. The customer controls the data put in these spaces and the applications that use it but can only apply data security controls that the CSP has allowed or that exist at the application layer.
Regardless of the data security services provided, customers need to ensure that they have control. For example, they should request to hold encryption keys or monitor consoles.
Finally, there is software-as-a-service (SaaS), where the customer is only a user of the service and the administration of the stack is left to the CSP. The customer has no control over what is done with the data. Dropbox and Google Docs are common in the mobile consumer space, and Salesforce is a well-known enterprise example. SaaS environments are the most difficult to control for data security because the data is at the mercy of the CSP. The end customer can only control it if the data is sent to the application encrypted or masked, and you still need to be careful not to break application logic.
For cloud environments, the more control you give to a CSP, the more you will be dependent on their security processes. Service-level agreements can be set to increase confidence, but you can always lower the risk the further down you go on the stack.