Cloud infrastructures that have promised to be highly secure assets within a company’s IT arsenal are still vulnerable to sophisticated cyber-attacks. Media exposure to several breaches in formidable cloud solutions enable a high degree of skepticism in overall data security. As cloud solutions mature, new roles and policies have been initiated, including the role of hypervisor administrator: a privileged super-user with access to shared cloud resources. Some concern exists that access to shared resources means potential access to data on those resources. As more people become familiar with the deeper operations of cloud computing, serious questions are raised regarding the handling of duplicate or backup data in virtualized environments. The proliferation of data is extensive and administrators may not be clear about where copies of the data resides within the infrastructure at any given time. These concerns raise questions about data privacy and security, access control, compliance and data tracking.
Protecting Your Cloud Data
Who is ultimately responsible for data security? The data owner or the cloud provider? Cloud vendors can provide a relatively secure environment for information, with appropriate controls, policies and regular maintenance checks, but primary responsibility falls on the data owner. The best analogy is a community parking garage. The owner of the facility may maintain cameras and security personnel, but that doesn’t relieve the car owner from locking the vehicle. In the same vein, businesses should do whatever possible to ensure their data is secured, protected even from the personnel within the cloud provider.
Granular Access Controls
The first step is to define exactly who can access the data stored in the cloud and eliminate all unnecessary data access privileges. Granular access controls can be configured to consider who accesses data when and how. For instance, John may have access to personnel records in the ERP solution residing on the cloud, but he is restricted to current skills and training for persons in his department. Though he uses a desktop, laptop and tablet to perform his job function, access to this personal information is only available through his desktop and only during normal business hours. Such extensive controls will prevent any unnamed persons from accessing the data unless they somehow impersonate the identity of an authorized user; even then, such granular controls will prevent access to more sensitive data.
Data Encryption and Key Management
Data residing on the cloud, particularly a public cloud, should always be encrypted with the encryption keys controlled by the business. Encrypted data is unreadable to any person without the key. That key can be made available to users within the business; enabling the information to be readable only to authorized personnel. In conjunction with granular access controls, data encryption provides this additional layer of defense against unauthorized access.
The current trend in cloud computing is establishing multiple environments for data to reside in. These environments can include traditional IT infrastructures and multiple cloud solutions, such as private and public solutions. The management of multiple environments can easily result in different security requirements, inconsistent security policies and controls. This lack of standardization is likely the greatest risk in security for a business as it results in managing multiple security profiles concurrently. The best approach is a unified central approach to security across all environments, where security policies and controls are the same for all personnel and all data regardless of where the data resides. The approach is essential for businesses seeking compliance in industry and governmental regulations and is the most cohesive and efficient approach to managing security.
Visibility and Auditability
Compliance regulations require businesses to demonstrate data access activity accurately. This requires security teams to monitor, log and report on activities from users and applications. While this information simply needs to be available as evidence, businesses should take advantage of its existence by analyzing the reports and determining any access anomalies and identifying any potential data breaches.
Electronic Data Shredding
When confidential information needs to be destroyed in a paper world, all evidence of the information is gathered and shredded. The same process is possible digitally by removing all known data sets from the cloud and destroying associated cryptographic keys. Even though the cloud is a dynamic virtual environment where data sets may reside in multiple areas, this process in persistent control will ensure the data is no longer readable or usable.
Implementation of data encryption and access control policies are necessary but cannot minimally impact existing processes, workflows, and infrastructures. The administrators for the cloud service provider must be able to perform their work to maintain and deliver the service they are committing to provide; though they do not require access to the data to deliver that service. At the same time, these policies should be transparent to users and not impact their ability to perform their responsibilities. When these requirements are addressed, security teams will be able to support their business effectively and efficiently in moving their data into cloud environments.
For more insights, download the HOSTING white paper: Protecting Your Data in the Cloud.