A virtualized environment, whether it involves the virtualization of company servers or support for the cloud, brings huge advantages in enabling the organization to maximize its resources when it comes to housing and backing-up data.
However, all too often out of sight can mean out of mind. From a security perspective, it pays to do your homework and nail down contractual arrangements with your virtualization or cloud provider to ensure the service meets the needs of the business, accommodates compliance requirements and provides a viable back-up solution not just in theory but in practice.
Perhaps one of the most common issues we find is that clients don’t always know where their data resides. This can bring real complications in terms of geographic legislation – sometimes referred to as data sovereignty – as local jurisdiction may mean your data has to be handed over, with encryption keys, in certain localities. There are also regulations to consider: now that the US ‘safe harbor’ agreement has been deemed invalid the onus is on the company to guarantee data protection if transferred off EU soil, for instance.
Consider also that some markets aren’t as stringent when it comes to protecting data. We’ve seen identification documentation obtained from the black market in India, for example, making it easy for non-qualified staff to access sensitive data.
Another common oversight is how quickly you can access and recover data from a virtualized environment. Having back-up off site, whether in the cloud, disk replication or tape, is advisable because it gives you much greater assurance in case of a security breach or systems failure. However, this can see security become the number one priority, obfuscating the need to evaluate how quickly you can get that data back.
Security concerns have seen data encryption become widely adopted but few stop to consider the impact on recovery times. If you ramp up your level of encryption, you’re going to suffer when it comes to meeting your Recovery Time Objectives (RTO). Therefore test recovery times and then retest, scheduling restart times during peak periods to gain an accurate picture concerning how variables such as time of day/the encryption in place/the amount of data you are trying to restore affect RTO.
When it comes to encryption, don’t just focus on the technicalities. Time and again we see examples such as TLS encryption, where the emphasis has been on maintaining up-to-date certificates, result in oversights such as whether data at rest is encrypted. Governance should always be the hand that steers encryption, and a good example of this is key management. If keys are mishandled or the derivation process is insufficient to protect data then that encryption becomes worthless.
Essentially, the way you secure and back-up data in a virtualized environment has to fit the organization. There is no ‘one size fits all’ so you should look for a modular supplier if possible. Similarly, those back-up controls should be sympathetic to the compliance requirements of your geography and business sector. Many may claim to be PCI compliant for example but realistically are PCI friendly i.e. they will assist where they can.
You should also consider what happens to your data when stored with other data. The sensitivity of data – or evolution in data value – can occur when data sets are combined, such as when HR data with payroll details is stored with another database naming staff. Understanding the data lifecycle and how data will be handled from the cradle to the grave while observing compliance requirements goes hand-in-hand with this. If, for instance, data you no longer require is left to languish in your supplier’s database over six years you could be in breach of the data protection act.
Seek to understand the limits of the service you have procured, from the data you can store to how data is overwritten and the speed of service and bandwidth provided. That way, when it comes to a restore, you know the limits of the service and how it is being delivered to you every step of the way, from the service provider, to the internet and the LAN/WAN, and which parts of that you have no control over, such as disk space.
Pick the right supplier and pay close attention to the contract because it’s that which will detail the service you are procuring and give you recourse should the worst happen.
Jamal Elmellas recently spoke about this topic in the Infosecurity webinar “Securing Your Virtualised Business”. To listen again visit: https://www.infosecurity-magazine.com/webinars/data-protection-virtual-environment/