Mobility and web services have shattered the concept of a defensible network perimeter. The security principles and practices that work so well in relatively self-contained data centers are all but useless as the foundation for a cloud-security strategy. Believe it or not, that’s the good news.
The number-one enemy of any data-security plan is overconfidence. A CSO has to assume something’s going to break, someone’s going to get phished, or the bad guys are simply going to figure out a new way to work around your defenses, however impermeable they appear to be. Mobility has ushered in the consumerization of IT, as Information Age’s Ben Rossi writes in a January 2, 2015, article.
Rossi describes the emergence of the secure cloud – an environment that addresses threats proactively rather than reactively. Users navigate and interact with the cloud-security envelope seamlessly, without having to traverse firewalls or enter passwords. If you attempt to transfer existing security mechanisms to this new data universe, not only are you unnecessarily discomfiting users and putting your organization’s data at risk, you’re missing a golden opportunity to make your company safer and more efficient.
Information technology has never seen anything like the inevitable transition to cloud services. The greatest obstacle to any such industry-wide transformation is fear. This presents a chicken-or-egg dilemma: Until companies commit to cloud services by jumping in with both feet, the evolution of cloud-native security will be hindered, according to Rossi.
How do cloud service providers prove they are living up to the security provisions of their SLAs in the absence of cloud-specific accreditation and certification standards? Until such standards are established, cloud customers should look for compliance with such industry standards as ISO9001, ISO20000, and ISO27001. In addition, they should request from their service providers proof of regular audits, assessments, and inspections by certification bodies, accreditors, and regulators.
In the absence of cloud-native encryption standards, encrypting and decrypting data in the cloud leverages non-cloud standards such as AES-256. Source: SmartCryptor
The need for cloud-specific security protocols is most evident in the area of cloud encryption. As with other aspects of your cloud-security plan, you can’t simply transfer your in-house encryption strategy and practices to your data in the cloud. For example, a cloud service such as AWS or Microsoft Azure may use industry-standard encryption, such as AES-256, but you can’t transfer data between the two services in its original encrypted form without jumping through a great number of hoops.
Encryption adds to the cloud provider’s processor and storage costs, so beware of services that offer to encrypt only certain database fields, such as passwords and account numbers. They may also look to save money by using an encryption alternative, for example, redacting or obfuscating the sensitive data rather than fully encrypting it. The most important question to ask before signing on the dotted line with a cloud service is who will manage the encryption keys. Despite assurances to the contrary, the service may be compelled to use keys in its possession to decrypt data on demand of the government.
The irony of having to surrender encryption keys to officials on demand is that many organizations are compelled to encrypt the data in the first place by compliance regulations, according to SC Magazine’s Teri Robinson in a February 29, 2016, article. Robinson cites the results of a survey conducted by the Ponemon Institute that found 61 percent of organizations are motivated to encrypt their data stored in the cloud by the need to comply with privacy and security requirements; 50 percent of respondents chose to encrypt their cloud data in an effort to protect their intellectual property. Only 8 percent of the IT managers surveyed cited the need to prevent data breaches as the reason for encrypting their cloud data.
Similarly, the greatest threat perceived by the managers to their data is actions by employees – whether intentional or unintentional; this was identified by 52 percent of respondents as the most significant threat, followed by system malfunction (30 percent) and outside hackers (28 percent). Regardless of where the keys are maintained, it is imperative to store your encryption keys separate from your encrypted data.
The opportunity presented by a cloud-centric data strategy is to transform security from a necessary overhead expense to a business enabler, according to CloudLock CTO Ron Zalkind in a June 8, 2015, article on InformationWeek’s Dark Reading. Zalkind presents seven criteria for a successful cloud-encryption strategy, the first of which is to figure out what company information is sensitive enough to require encryption. The bulk of the data collected and stored by most companies poses no security risk and therefore doesn’t need the added cost and complexity of encryption.
Ideally, your cloud-encryption strategy will be an extension of your in-house encryption practices, although storing data off the company network may entail new compliance requirements. Similarly, your automated remediation plans for in-house problems can be extended to company data encrypted in the cloud to ensure a smooth recovery when things go south. The goal is to protect your most sensitive data in its three states: during transmission, when in use, and when stored.
A three-tiered cloud-encryption strategy protects data when it’s on the move, in use, and at rest. Source: Vivien Gerretsen, Intuit
Just as users dictate support for mobile operations, their access to encrypted data in the cloud has to be instantaneous and hassle-free. The user experience is even more important on today’s small screens and low-bandwidth connections. The upside to cloud-based encryption is saying good-bye to hardware encryption gateways and any approach based on traffic rerouting and network reconfiguration. This eliminates encryption with a single point of failure. It adds scalability, easy deployment, and mobile-readiness.
Encryption is never the be-all and end-all of security. All the standard security best practices apply to development of a cloud-first IT strategy, including authentication, breach remediation, disaster recovery, activity logging, archiving, compliance, and external audits.