Are You Skeptical About The Cloud?
Recent news stories like the celebrity iCloud hack have shined a light on cloud security in general, and cloud storage risks specifically…
News stories like the celebrity iCloud hack have shined a light on cloud security in general, and cloud storage risks specifically. Experts say many enterprises ‘don’t have a clue’ that corporate data could be at risk. Much like the United States justice system presumes innocence over guilt, many view the cloud as secure enough until it’s shown to be insecure. Vulnerabilities or cloud breaches are bound to happen, and when they do, they serve as reflection points where users must rethink their assumptions before deciding on the best choice in the security, cost and performance balancing act.
“Security is always a balance of risk versus reward”
There are many reasons to store data in the cloud, and users have been doing so for years and ultimately there are no really good reasons why sensitive data shouldn’t be stored in the cloud. The risks like any other risks to a business need to be managed. . Mail services are one of the early examples of data storage in the cloud. Historically, however, when these services were hacked, the attackers would typically use the compromised accounts to deliver malware, spam or both. More recently, the interest of attackers has shifted toward learning the users’ personally identified information. This leads to questions about the content of the actual data, and thoughts about where the data should reside.
The distributed nature of cloud data introduces two areas of concern to security-minded people. The first area of concern deals with the processing and handling of the data. The second area deals with the value of the data. Generally speaking, the first area receives more attention than the second; however, both areas are of equal importance. Examine the data and applications you wish to migrate to the cloud, and classify them in terms of how crucial they are to the business, how sensitive the information is, and what regulations and governance rules affect that data. Once this stage is complete, a cloud service can be selected that can support the level of security, compliance, and of course availability that is required.
Data processing and handling
Cloud processing and handling of data has users facing a basic question: Who owns the data? This problem has not been solved and appears to have no solution in the near future. Part of the problem stems from the fact that users do not always want to be responsible for their digital data, and entrusting all users to securely manage their digitally stored data would require a significant portion of the population to learn more about computer security than they are willing to undertake. Thus, the cloud is a viable option for a large portion of the user population.
Another problem is that while cloud service providers (CSPs) are quite willing to store this information, they certainly don’t want to take ownership of the data. The legal liability issues for the CSPs would be immense since the Internet is a domain of both legal and illegal commerce and the laws that govern Internet usage vary by country. Many of these issues about data ownership played out a couple of decades ago as e-commerce was introduced, however; when Internet service providers (ISPs) were in the role of today’s CSPs, the data was not as widely distributed as is the case today with some of the large CSPs.
Let’s consider how data is actually stored in the cloud. In order to achieve the high availability that defines the cloud, the major CSPs have geographically distributed data centers, with clustered server farms at each data center. Long-term storage of data at remote facilities represents an attack vector, as do the distributed data centers. These endpoints and the paths between them represent major attack vector classes for data stored in the cloud.
The security industry has spent decades attempting to secure the places where data is stored and transmitted, with mixed success. However, the nature of digital data, with multiple copies being made at various locations, begs the question: Is the data itself an attack vector? If so, this emergent vector needs guiding principles. In the meantime, if enterprises can’t secure the places where their data is stored and transmitted, they at least need to know where those places are because that will give them the opportunity to decide which data should be stored in the cloud and where it will be most secure.
Data value
One aspect of data guidance comes from a time before the existence of the cloud. The old adage, “some things do not belong on the Internet, ” is still relevant; however, with the automatic backups that we see with cloud storage services and the movement of data between personal devices and the enterprise network, this problem has grown exponentially.
In this context, the value of data deals with the utility of data. Data utility requires evaluation for the value of the content in the present, along with the potential value of that same data content in the future. A useful analogy might be to consider an old photograph taken of a subject in his younger days and showing him wearing the styles of that era. At the time the picture was taken, the image provided no offense to the subject. However, the same picture many years later might cause the subject to cringe at the fashion it displays.
Now consider that instead of an old, funny picture, business or personal data is on display. The digital nature of the data ensures that once a copy of the data is in the cloud, it will remain there forever. Data of little value to an organization today becomes a data point in the future for mining and trend analysis. As a result, enterprises need to examine how the value of current data may change in the future.
Even data that passes the “safe-to-post standard” becomes a potential big data issue where it may be mined in the present or the future and joined with other data to create new data that may actually be sensitive or more valuable. This results in the problem that even the “safe” data is no longer truly safe. Yet, migration of data to the cloud continues.
There’s also the issue of data that’s not meant for cloud storage but inadvertently ends up there. Data that crosses the boundary between work and home provides a significant opening for an attacker to gain knowledge about the organization. This is not news, of course. But less obvious data, such as forwarded e-mails, that provides insight into the projects and roles of various individuals can sometimes go unnoticed as a major risk. Project information, personnel information and organizational information are all important to keep out of the public domain, and away from the cloud.
How can enterprises prevent valuable data from moving to unauthorized cloud storage services? Architecturally speaking, the most logical choice would be to create a decontamination network for personal devices that travel between home and office. A decontamination network is a sandbox, DMZ or some other trusted zone of the network where data comes in through different sources and users but must pass through processing layers of proxies and filters in order to join the network.
The decontamination network can provide the checks through application proxies that examine for keywords during data inventory and potentially prevent data breaches similar to the celebrity iCloud hack. The determination of those keywords will depend on corporate policies. However, a serious discussion on which keywords are important to the organization must take place across all groups of the organization so data can be properly valued.
Conclusion
Take an information-led, risk-based approach and decide what data will be stored in the cloud, and what the potential consequences would be, should a data breach occur, and that data be lost, stolen or destroyed. Once you know this, the necessary legal and regulatory obligations can be considered, particularly where personal information or sensitive financial information is concerned. Another important decision to make is what type of cloud to use. Make sure you scrutinise the risk and control perspectives and choose a suitable cloud service or solution and one that has the lowest risk and where the most control can be adopted.