By Joe Sturonas
As the proliferation of data continues to plague businesses, the pressure is on for companies to migrate away from their physical data centers. Cloud computing is being adopted at a rapid rate because it addresses not only the costs for physical space, but also rising energy costs and mandates for more scalable IT services. Enterprises are drastically reducing their storage spend by using online storage solution providers to store massive amounts of data on third-party servers.
The cloud is definitely calling, but even the most seasoned IT processionals debate, grapple and get a bit intimidated by an otherwise simple term that has taken the world by storm.
Inevitable Risk
Every minute of every day presents the opportunity for a data mishap. A security breach, as well as lost, stolen or even compromised records, triggers negative exposure that quickly equates to forfeited sales, legal fees, disclosure expenses and a host of remediation costs. The fallout can result in years of struggle to recoup reputation and repair a brand in the marketplace. Cloud providers do not want to be held liable for any issues related to your data loss. Best case, they will credit back your fees, but nothing can help a damaged reputation or customers who leave your organization when a data breach occurs.
While the cloud environment seems be to a Holy Grail for trends around data proliferation and massive storage needs, clouds present complex security issues and put critical corporate data, intellectual property, customer information, and PII in potential jeopardy. Enterprises forfeit security and governance control when data is handed over and cloud providers do not assume responsibility.
The recent cyber-attacks by groups like Anonymous and data breaches like that of LinkedIn illustrate the need to incorporate an advanced risk and compliance plan that includes any third-party managed cloud environment. Clearly, the cloud often opens a Pandora's Box for unanticipated consequences.
Storing huge amounts of data on third party servers may mean instant online access and lower costs; however, that data is often comingled on shared servers and exposed to users you don’t know. If your Cloud storage provider encrypts your data but holds the key, anyone working for that Cloud storage provider can gain access to your data. That means the potential of your data be shared, sold, marketed to and profiled for someone else’s gain.
Data also has to actually “get to” the cloud, which usually means leaving your trusted infrastructure and overcoming compounded transfer vulnerabilities as data moves to and from the cloud. Even the most unintended data breach could cost a company its reputation.
Potential Pitfalls
Transfer vulnerabilities: The potential for data breaches is multiplied as data travels to and from the cloud using various networks especially in highly mobile and distributed workforces.
Non-compliance penalties: Extended enterprises, partner networks and virtual machines are continuously scrutinized for compliance. All sensitive data must be protected with appropriate measures.
Storage expense: Companies are charged by the amount of data that is put into the cloud; therefore providers lack motivation to compress that data. Any compression by providers is deemed unreliable since encrypted data cannot be compressed.
Provider holds the keys: Cloud agreements can address how internal folks at the vendor will be managing your data. Provisions can limit administrative access and grant who has hiring and oversight over those privileged administrators. If the data that is housed in the Cloud is, in fact, encrypted then the issue becomes more about who maintains the keys.
To summarize…
- Security breaches will happen even for the most vigilant that do not encrypt their data.
- Your company’s reputation is at stake.
- Security regulations are increasing.
- The cloud introduces new levels of risk.
- Cloud providers have root access to all your unencrypted data in the cloud, and they are not your employees.
The only way to protect data in the cloud is if you encrypt the data and you maintain control of the private key.
Cloud Security Best Practicies
Impact on security policies and procedures?
Your existing security policies and procedures need to be reviewed to evaluate the use of Cloud applications and storage. Some companies choose to shut off access to certain Cloud applications, some choose to implement application-stores to limit access to specific approved applications, and some do not attempt to curtail access at all. Shutting off access is not a popular option to your employees who are most likely already familiar with consumer type options, such as Dropbox. Your end-users have certain problems like transferring or sharing a large file too large for email that they know such services can solve.
Employees, internal team members and partners, may not have any idea of the risk of putting insecure data in the Cloud. They probably don’t know that unsecure services, such as Dropbox, pose a security risk and may have sensitive company data stored there. You need to alert them to the data security risks of the Cloud and have them sign a security policy to that effect. Taking draconian measures toward preventing the use of services like Dropbox will only force employees to find even less secure ways to exchange data. Providing a secure way for employees to use services like Dropbox is a far better approach.
The regulatory standards issues that you deal with today in your own data center are just as important in the Cloud. Compliance with PCI DSS, EU Privacy Act, Sarbanes-Oxley, and FIPS140-2, etc. are just as imperative. If you know that the data is encrypted before it goes into the Cloud, you may be compliant with any number of these regulations. Even if the Cloud vendor is hacked or someone uses an administrative password improperly, your data is impregnable at that location.
Evaluating Security Solutions for the Cloud
Encrypting your data and maintaining the keys yourself is considered by industry experts as the only way of making sure that no one can read your data, period. It doesn't matter if a privileged user has access to your data, they still can't decipher it.
Regulatory compliance counts in any cloud, any environment, and any country. You must ensure your data is compliant with any regulation standards for your industry.
If there are assistants, executive and sales representatives who use different operating systems on different computing platforms and want to share that data securely inside or outside of the private or public cloud…then you need data-centric, file-level encryption that is portable across all.
Be sure to evaluate Data Location and Data Segregation as they relate to co-tenancy. Not only do you want to hold the key, but you want to encrypt all of your data so that your data, especially sensitive data (PII), is protected if co-mingled with other organizations’ data.
A Cloud security solution must also enable recovery and provide you with the ability to restore your data many years from now. To meet some regulatory compliance statutes you have to keep your data for seven, even 20 years.
Cloud providers might assure users that the communications from your browser to their servers are encrypted using TLS. That provides a level of protection of the data only as it travels through the Internet, but then data remains in the clear once it lands on their server.
Worry-free Breach
Odds are you will have to report a breach one day. If that day comes, you want to announce that no data was compromised and minimize corporate liability both in dollars and reputation. With data-centric encryption where you hold the keys and the data are encrypted at the file level, no one can access that data. Therefore, you may not even have to report it as a breach and you don't really have to rely on all the remediation contractual issues...because essentially there was a breach but no data was lost.
So before you store sensitive data in the Cloud, make sure you encrypt that data. This insures that your data is safe and accessible to you and only you.
Joe Sturonas is the chief technology officer for PKWARE, an industry leader in enterprise data security products, which has a history rooted in innovation, starting with the creation of the .ZIP file in 1986. Since then, PKWARE has been at the forefront of creating products for reducing and protecting data – from mainframes to servers to desktops and into virtual and cloud environments.