Securing Data in the Cloud 10 Critical Questions to Ask Your Cloud Provider

Transcription

1 Securing Data in the Cloud 10 Critical Questions to Ask Your Cloud Provider By Leonard Chung Executive Summary There is no question that businesses can benefit from moving data to the cloud. The cloud is elastic and efficient. It can improve user productivity and unburden IT staff, saving time and money. It can accommodate anything from simple file sharing to mission-critical data backup. The question is, just how secure is your cloud? And how do you know? There are major differences among cloud providers in their approach to security and their use of security technologies, processes, and personnel. These differences can have a major impact on the availability, integrity, accessibility, privacy, and compliance of your data and can directly impact your business. This paper provides a framework, built from industry best practices, for thinking about cloud security. It also provides a short list of questions you should ask any prospective cloud provider, whether that is your internal IT department or a third-party cloud service provider. For example: How much control do I maintain over my data? How do you safeguard my data from that of other clients? How do you ensure security for client (endpoint) devices? Armed with these questions and a better understanding of the underlying process, personnel, and technology issues, you can transform cloud security from a source of uncertainty and doubt into a source of business advantage. And you may experience something you never expected from your move to the cloud: peace of mind. The Promise and Challenge of the Cloud Virtually every article, blog, or white paper about security begins by trying to scare the living daylights out of the reader usually with horror stories and jaw-dropping statistics about security breaches and their devastating consequences. However, it is important to view cloud security not only as a potential vulnerability but also as an opportunity. Solid security can open new doors for your business by enabling it to offer more services to more users with greater flexibility and less expense. Moreover, the cloud model can greatly mitigate or even eliminate many traditional security risks. Simply put, a framework for cloud security should consider what security can help you accomplish, not just what it can help you avoid. Therefore, the first step in understanding cloud security is to see the big picture of the cloud itself: the advantages, the issues, and the trends that are influencing adoption of the cloud model. Page 1

2 In a word, the overarching benefit businesses expect when they move data to the cloud is agility. Customers, employees, and business partners live in their files and their files are their lives. That means they want all of their data conveniently and reliably accessible no matter where or how it is stored, no matter what kind of application they re using to access files, and no matter what type of device is at their fingertips a smartphone, a tablet, a laptop, or a desktop. They want to be able to work and transact business anywhere, at any time. In addition, the era of BYOD (bring your own device) is upon us. In many cases, employees want to use their personal devices to access work-related documents and messages. They want to share these files without cumbersome access controls and login procedures. They want corporate files and data to be as nimble as they are. And they re going to find a way to get what they want whether the IT department helps or gets in the way. The cloud can deliver the agility users need with the security IT requires, and in doing so can preclude the need for backdoor IT where users or even departments and lines of business create their own workarounds to avoid cumbersome security requirements. An additional benefit of the cloud is decreased cost and business risk. A cloud offering is a pay-as-yougo service, so there are no new capital expenditures for servers, storage systems, and VPN connections; there are no software upgrades and support costs; there is no need to hire and train new system administrators. Since most cloud services are easy to provision and deploy, with free trials and monthby-month terms available, businesses don t need to risk the expensive upfront investment typical hardware and software solutions require. The cloud service also typically works with a multitude of devices, scales on demand to accommodate growth or spikes in usage, and is accessible 24/7 virtually anywhere there is Internet access. The cloud model can also give companies the ability to leverage resources they already have including both physical infrastructure such as servers and storage systems as well as existing user credentials and security-related processes. This means IT can extract even more value from these resources by cloudenabling them rather than force a rip-and-replace migration that increases risk across the board. At the same time, the move to the cloud model can unburden the IT department of the need to develop and maintain expertise in every facet of data security. The key elements of security are left to specialists, so IT can focus on more strategic and higher-value-add projects. Despite all the potential benefits, however, most businesses are still using the cloud for only about 10% of their IT needs 1. The dominant concern is security. Businesses remain unsure whether their data is safe in the cloud, and whether the cloud model has matured enough to address the myriad security issues it creates. The next section describes the key security issues you should consider as you evaluate cloud service provider offerings. Cloud Security: Technology, Process, and Personnel Considerations The advantages of the cloud model are counterbalanced by new security risks and vulnerabilities that must be addressed. However, it must be emphasized that these risks are not mitigated by technology alone. Only a holistic approach blending the right technologies, processes, and personnel will deliver a comprehensive data security solution for the cloud. For example, the cloud is only a hosting model. Encryption by itself often touted by vendors as the solution is only one type of defense. Both are useless in addressing security issues until they are paired with the processes and personnel that empower them to fully address the underlying security threat. 1 A Lack of Standards by Amy Larsen Decarlo, Information Security, December 2011 Page 2

3 The broad categories of cloud security risks are summarized below, followed by a discussion of the technologies, processes, and personnel considerations that can provide a holistic solution. Network availability: The cloud can give more users more access to more data but only if users can access the cloud. Network outages, system outages, improperly implemented access policies, errors and oversights even routine activities such as boarding a plane or leaving the office can introduce the risk of lost access to critical data and potential downtime for the business. Device security: The cloud allows more types of devices to participate in services but those devices remain subject to the vagaries of human nature. People get sloppy with passwords; they don t always install or upgrade their antivirus and malware software; and they frequently damage or lose their devices (156,000 laptops alone are lost at U.S. airports each year, according to a recent study by the Ponemon Institute 2 ). Data durability : It s not enough for data to be accessible; it must also be protected against corruption, misplacement, and inadvertent deletion. Accidents, malicious acts, hardware failures, or inadequate controls can compromise data integrity and quickly negate the benefits of moving to the cloud. Privacy and confidentiality: In the cloud model, data is constantly transmitted to and from systems that are outside the corporate firewall. Users need assurance that sensitive communications and data are accessible only to the intended recipients whether the data is in transit or at rest. Control: The cloud transforms even the simplest deployments of desktops and mobile devices into complex distributed systems. Controlling policies, permissions, and authentications among diverse devices, applications, users, and data types can quickly become a daunting task without the right management tools and processes. Compliance: The cloud adds yet another layer of complexity to the already mind-numbing array of compliance requirements for data security. To cite just one example: most states in the U.S. now have data breach laws that require individuals to be notified if a data breach has occurred. Businesses need assurance that their cloud provider understands all the relevant laws and has the security systems in place to diminish the risk of violating any of them Airport Insecurity: The Case of Lost Laptops, Ponemon Institute Independent Research Report. Page 3

4 Technology Processes People Certifications Encryption Replication & Redundancy Data Center Access Controls Mobile App Security Customer-Controlled Policies & Access Permissions Auditing & Reporting Multiple security strategies, technologies, standards, and processes have emerged or evolved to help mitigate the risks created by the cloud model. In general, these fall into the following broad categories: Certification: The hosting provider s data centers can be certified to meet rigorous standards for physical security, physical access, and internal controls. For example, SSAE-16 (formerly known as SAS70) is an internationally recognized third-party assurance audit that provides a benchmark to compare internal controls and processes against industry best practices, and the Federal Information Security Management Act (FISMA) is U.S. legislation that defines a comprehensive framework for protecting government information, operations and assets against natural or man-made threats. Others include PCI DSS, ISO 27001, HIPAA, and FIPS Certified compliance with these standards demonstrates a high level of commitment to data security. Encryption: Data encryption and clear policies and processes for encryption are vital to ensuring complete data protection. Data that is not encrypted is open to intentional or accidental interception, which can result not only in a breach of privacy or confidentiality but also violations of regulatory requirements, loss of goodwill among employees and customers, bad press that impacts sales, and very expensive remediation efforts. Virtually every company encrypts file data during transfer, but few encrypt everything transmitted such as unique user account information and mobile phone identifiers that allow others to uniquely track a phone. Even fewer encrypt stored data at rest in the data center as well as on mobile devices. This ensures files are protected not just in the seconds it takes to transfer them, but also in the days and years they will spend stored on hard drives and phone memory. The gold standard for encryption, whether the data is in transit or at rest, is the Advanced Encryption Standard at its highest level of security of 256 bits (a.k.a. AES-256). This is the only encryption standard certified by the government for classified materials. Also, the management of encryption keys is an important consideration. These keys should be stored in a separate location from the encrypted data itself to avoid having a single point of compromise. Physical and logical access to the key server by authorized personnel must be tightly controlled. Replication and redundancy: It s common sense that having multiple copies of files and messages in multiple locations helps guard against accidental loss or corruption. However, managing all those copies can lead to complications that impact security. It is critical that the Page 4

5 prospective cloud provider can reliably retrieve the correct version, provide availability in the face of a failure at any individual data center, and synchronize the versions that exist at multiple sites. Equally important, make sure your provider can tell you exactly where your data is being stored, and verify that you have the ability to permanently and irrecoverably delete files out of their system on demand if you require. Data center access controls (physical and virtual): Part of ensuring that only the right people have access to data is ensuring that only the right people have access to the data center. Physical systems that house user data must be accessible only to employees with a legitimate business need, and authentication and key management data centers must be completely inaccessible to non-credentialed employees. The best architectures are built to require two authorized employees before any data can be accessed. In many cases a third-party provider is in a better position to provide these safeguards than the internal IT department. Mobile app security: Mobile devices are loss-prone, meaning they can contain large amounts of data and compute power and are easy to connect to the Internet and other devices but they have very little built-in security. The responsibility therefore lies with the application that provides file access to make up this gap. Applications can do so with features such as remote wipe in the event the device is lost or stolen (initiated by the user, an administrator, or by policy), an encrypted file lockbox to protect data stored at-rest on the device, or a PIN (requiring the user to authenticate via the PIN in addition to their normal password), as well as through ensuring adherence to company policies and controls. Customer-controlled policies and access permissions: Every business experiences constant change at the user level. Employees and contractors come and go. People start and stop using different types of devices. Access requirements are in a constant state of flux. You need a convenient way to control and manage who gets access to what, under what conditions. You also need an easy way to create, change, and enforce data retention policies, along with the ability to remotely wipe any user s account, their individual computers or mobile devices, in the event the device is lost or the employee/contractor is terminated. Equally important, you need a flexible way to balance the risk of security vulnerabilities against the cost and effort of mitigating them. In other words, the security solution must be able to adapt easily to fastchanging requirements so that you can protect by enabling or protect by restricting as needed, rather than being forced into one approach or the other. Auditing and reporting: Management needs insight into who has access to resources, who is using those resources, and what changes have been made. Audit trails and reporting mechanisms are designed to provide this information. The best systems also provide customizable versioning to make it possible to quickly and easily reverse damage from undesirable changes or deletions. 10 Critical Questions to Ask Your Cloud Provider The information in the previous section provides important context for understanding the challenges and requirements of cloud security. With this framework in mind, you are now prepared to ask the following pointed questions of prospective cloud service providers and gauge the adequacy of their answers. 1. What is your data encryption philosophy and how, specifically, do you encrypt data? Page 5

6 The overall approach is crucial. If the vendor is of the opinion that password protection for a file or laptop is sufficient to prevent unauthorized access to content, or that data encryption is needed only for data that is in transit and not at rest, you may want to consider other cloud providers. Encryption of all data, in transit, at rest, and in mobile devices, should be the basis of any holistic security solution. Failure to encrypt all content can have serious consequences, most notably in the area of regulatory compliance. The data-breach laws mentioned previously are only the tip of the iceberg. In the U.S. alone, legislation such as the Gramm-Leach Bliley Act (GLBA), the Payment Card Industry Data Security Standard (PCI DSS), the Financial Industry Regulatory Authority (FINRA), the Health Insurance Portability and Accountability Act (HIPAA), and the Personal Information Protection and Electronic Documents Act (PIPEDA) could all be violated by a loss of unencrypted data. On the other hand, proper encryption not only defends against such violations but also creates new business opportunities and competitive advantages, such as the ability to transact securely any time, from anywhere, and the ability to serve new customer segments or geographies. Regarding the actual encryption of the data, make sure all data is transferred and stored using the highest levels of encryption: 256-bit Advanced Encryption Standard (AES) SSL for transit, and 256-bit AES for data at rest (introduced by the National Institute of Standards and Technology or NIST). AES is the only publicly accessible and open encryption technology approved by the National Security Agency (NSA) for Top Secret information. There is simply no excuse for using any lower-grade encryption technology. 2. How do you manage the encryption keys? In many cases the difficulty with encryption lies not in the encryption process itself but in the management of the encryption keys. Make sure the prospective vendor provides both physical and logical separation between the encryption keys and the encrypted data. Separate data centers would be optimal, so that there can be no single point of failure or compromise. You will also want to ensure the vendor has segmented access to their systems so in general employees only have access to one data center or the other, further protecting access to your data. In addition, ensure that the encrypted file data and the proper file version encryption key are brought together only on an as-needed basis, and in a way that can be audited. It is important to ensure that an encrypted file cannot be decrypted by anyone. The absolute highest level of security is to own and manage the keys to ensure actual control. However, this is generally so burdensome, particularly in cases where users share and collaborate with one another, that there is a significant risk users will use simpler methods such as ing files via their private accounts, defeating the purpose of the system. A compromise is to have the vendor manage the keys on your behalf. In this case, the vendor should be able to explain how they ensure the keys are properly managed and, optionally, provide you with the ability to control a key escrow so you can own the keys. The gold standard is a dual-responsibility model where two authorized employees must combine their authority before access can be granted, such as in the case of a two-datacenter security architecture. 3. What certifications for data protection have you attained? Certifications are issued today for virtually every aspect of information handling from the data center itself to information protection practices. Ideally, the vendor s data centers will have successfully completed a SOC 1 audit under SSAE-16 guidelines (formerly SAS70 Type II), as well as testing from independent auditors. An SSAE-16 audit verifies that the cloud provider s data centers have met rigorous requirements around physical security, Page 6

7 physical access, and internal controls. It also allows cloud providers to disclose their control activities and processes to their customers and their customers auditors in a uniform reporting format. In addition, ask prospective cloud providers whether they are FISMA-certified (indicating a high level of commitment to data security), and whether they are certified for compliance with PCI DSS, ISO 27001, HIPPA, and FIPS Finally, while you may want your provider to ensure they can reliably store your data forever, you will also want to ensure that they properly handle the cases where data must be reliably destroyed. Compliance with Department of Defense M or NIST ensures your provider properly handles media sanitation, such as in cases where a server holding customer information is retired with the information on it permanently and irrecoverably destroyed to prevent third parties from accessing the information. 4. How much data replication is enough, and what level of data durability do you provide? Users expect and require that data remain available and uncorrupted absolutely without fail. For years, data center managers have pursued five-nines availability (meaning %) as the Holy Grail for service-level availability. When it comes to data durability, however, there had better be a lot more than five nines (look for 10 or 11). Think of it this way: the standard RAID mirroring (data stored on two hard drives), provides about four nines of durability, meaning you have a one in 10,000 chance of data loss. Given that the average user has 10,000 files in storage, this means they will lose a single file every year. At 11 nines, this same user will lose a single file every 10 million years. With this in mind, expect your cloud vendor to store all files at least in triplicate at each of several geographically dispersed data centers, and expect those copies to be synchronized automatically and instantaneously. These measures ensure that even if a data center goes down, for any reason, or connectivity to a data center is lost, operation will still continue normally. 5. How much control do I retain over my data? You should expect to retain end-to-end, lifecycle control over where, when and how your data flows and how it is physically stored. When data is created there should be a customer-controlled system for capturing the content (files, documents, or messages), policies for uploading the content, and centralized control over which users and which devices can access or make changes to the content. During the midlife of the content, controls are needed to capture the edits and changes made by various authorized users. And at the end of the lifecycle, controls are needed to ensure that the content is properly archived or wiped (destroyed). Make sure your cloud provider can easily enforce the data retention policies you set, so that shared files and folders can be automatically and permanently deleted from user devices when required. Also, look for the ability to remotely wipe any user s account including all of the computers and mobile devices they use in the event a device is lost or stolen. You should also receive a detailed plan that defines the course of action in the event that data is in the wrong places, due to misconfiguration, maliciousness, or error. Make sure that your prospective vendor has the capability to provide the level of control you expect. 6. How do you ensure client (endpoint) security? In the cloud model, data is transmitted between and among connected data centers and a diverse array of clients: mobile phones, desktops, laptops, tablets, etc. While the cloud service provider has no control over the security mechanisms put in place by the vendors of these devices, the cloud provider can Page 7

8 ensure that no client ever opens a hole in your firewall with any externally accessible port, communicates with any non-authenticated source, or stores cached credential information in an unencrypted format. This will close three of the most common attack vectors. In addition, it is possible to protect user data on mobile devices by using AES-256 encryption for data during transmission and while stored on the mobile device, and to provide mobile apps that use app specific PINs in addition to any phone password. 7. Can I leverage existing credentials and password policies and disable access immediately? Often the weakest points of any system are user accounts with passwords that are easily guessed or an account that is accidentally left active when it should have been disabled. In fact, according to a recent article in Information Week, the combination of poor passwords and automated attacks means that in just 110 attempts, a hacker will typically gain access to one new account on every second or a mere 17 minutes to break into 1000 accounts. 3 A common way to reduce the risk is to ensure any system that you adopt can leverage your users existing accounts that may be in Active Directory or even Google Apps rather than create yet another username and password for users and IT to manage. This integration should work with pre-existing password policies and advanced configurations such as two-factor authentication. It is also important that when access to an account, folder, or file is disabled or removed, the action takes effect immediately rather than taking a day or more. 8. How do you isolate and safeguard my data from that of other clients? In the past, IT departments segregated the files and data of various constituencies by putting them on separate physical servers. There were multiple problems with this approach, including server sprawl, underutilized resources, administrative complexity, excessive cost, and downtime or even data loss due to single points of failure. Virtualization technology makes it possible to encapsulate multiple types of data, applications, and content within the same physical server and to distribute copies of those assets quickly and easily among multiple servers. The content itself is electronically isolated or partitioned from all other content on the servers. The result is a more secure and more flexible access model that lowers operating costs and simplifies desktop administration and management. So, when evaluating prospective vendors, be sure to get a detailed description of their use of virtualization and, if you re not conversant in the technology yourself, consider having it appraised by an expert. 9. How is activity in my account monitored and documented? Your cloud provider should be able to provide an audit trail with full change tracking for changes occurring in an account, with previous versions retained, so that you know who is making changes and what those changes are. 10. Can you continue to provide protection as my workloads evolve? The elasticity of the cloud is one of its key advantages but make sure your prospective cloud provider can accommodate the volume of growth you anticipate, as well as unexpected spikes in demand for service, with the level of performance your users demand. Also, be sure you re not a guinea pig for an untested cloud architecture. Explain your needs to a prospective cloud provider and find out whether 3 Weak Passwords Pervasive, Despite Security Risks, by Thomas Clayburn, Information Week, January 22, Page 8

9 other customers with your same profile are currently deployed on the system. A cloud provider with real customers should be able to explain best practices for your needs and have references from other businesses. And don t assume that only a large, established cloud vendor will be able to meet your requirements; there are many small, up-and-coming providers that can deliver a higher level of service than the big players, with greater scalability, at a comparable price point. Conclusion The advent of the cloud opens up new possibilities and new security vulnerabilities for businesses. The object is to maximize the advantages and opportunities while minimizing the risks and the temptations of backdoor IT. This paper has presented a framework for considering the issues, along with specific questions for evaluating vendors. But there is one additional question that every business leader should contemplate before making the move to the cloud model, and it s an issue about which you, as a decision maker, must formulate your own opinion. What is the best approach to protecting and securing data in today s connected era? Should your business attempt to protect via restriction in other words prohibiting everything that could present an incremental security risk? Or should it protect by empowering users, finding new ways to secure the activities you know they will engage in? There is no right answer, but your opinion will shape your perception of the promise of the cloud and directly impact the results you expect and receive from a cloud service provider. About the Author Leonard Chung is co-founder and Chief Product Strategist of Syncplicity, a leading provider of cloudbased file management solutions. He has spent 12 years in the computer industry focused on finding better ways to manage, access, and secure data on a large scale. Before co-founding Syncplicity, he spent four years at Microsoft working on innovative cloud architectures and data management solutions in the early days of cloud computing. Prior to Microsoft, he distinguished himself at IBM as one of only 70 technologists in North America selected for the company s prestigious Extreme Blue program. Leonard received a B.A. in Computer Science and a B.A. in Cognitive Science from the University of California, Berkeley. About Syncplicity Syncplicity is a next-generation cloud-based solution for secure file synchronization, mobility and collaboration that is revolutionizing the way people work. Syncplicity makes it easy for business users to store all their files in the cloud, sync them with all their computers, share them with co-workers, access them on mobile devices, and ensure they are always backed up. All with the security, IT administration, controls and policy management features businesses demand. Learn more at Page 9