Is Your Data Safe in the Cloud?

Transcription

1 Is Your Data Safe in the?

2 Is Your Data Safe in the? : Tactics and Any organization likely to be using public cloud computing are also likely to be storing data in the cloud. Yet storing data in the cloud also brings with it a number of security risks which IT professionals should be aware of. This expert e-guide, from SearchComputing.com, explores how to successfully secure data in the cloud while ensuring its confidentiality, availability and compliance with physical location regulations. Data security is a concern for any enterprise, and cloud computing often can magnify security anxieties. Learn how to adopt a few ground rules to help protect users, their data and your overall cloud investment. By: Phil Cox In this tip, the seventh in our series of technical tips on cloud security, we discuss the security of data in the cloud. If and when you decide to use public cloud computing, it's likely that you will also need to store data in the cloud. The multi-tenant nature of the cloud and questions about the physical location of cloud data are security risks that organizations looking at using cloud services need to be aware of. This tip discusses practical methods for keeping your cloud data secure. Storing data in the cloud is arguably the most important aspect of public cloud resources, but it is rarely treated as such. Two practical steps to take when securing cloud data are: Protect your data in a real world environment. Meet compliance requirements. Page 2 of 9

3 Is Your Data Safe in the? : Tactics and What are the issues? There are two primary issues that we have to deal with when talking about data security in a public cloud: Protection of the data: Dealing with the confidentiality, integrity, and availability (CIA) criteria. Answering the important questions, such as, "What is the risk to the data? Are the controls in place adequate to mitigate the risk?" Location of the data: Dealing with the physical location of the "bits" and answering questions like, "Do I know where the data resides? Does this violate any of my compliance requirements?" Location is often doubly important because we do not think about it; it may easily slip by unnoticed and have significant impact if a data loss ever occurs. An example is the conflict between the U.S. Patriot Act and Canadian laws on the privacy of certain personal information. The U.S. government says if there is a compelling reason, they are able to see data in their jurisdiction. Canadian laws say that the data of certain Canadian citizens is protected and cannot be disclosed. If you handle Canadian data (i.e., data that is protected), then you had better be sure it is not physically located on systems in the U.S. Note that this is something providers will need to ensure via contracts. Where to start: Data classification If you don't take time to understand your data, then you are setting yourself up for failure in a public cloud environment. Therefore, securing data must begin with data classification. Here are some steps to follow: 1. Identify the data that will be processed or stored in the cloud. Page 3 of 9

4 Is Your Data Safe in the? : Tactics and 2. Classify the information in regards to sensitivity towards loss of the CIA criteria. This would include identifying regulatory requirements for the data. 3. Define the rules by which particular information classes of instances must be stored, transmitted, archived, transported and destroyed. Many handling requirements result from contractual or regulatory requirements. A thought on physical location As stated earlier, if there are restrictions on the physical location of data, you'll need to find a provider that can handle them. Amazon Web Services uses regions, and many of the other cloud providers offer similar structures. However, you need to ensure the service-level agreements meet your locality requirements. Protecting data in the cloud In the cloud, your data can be in any of the following locations: Local storage of the virtual machine (i.e., processing engine). Data is tied to the virtual machine location and state. Persistent data store (i.e., Amazon EBS or S3, Azure SQL, etc.). Data is independent of virtual machine location and state. In transit on the wire. You will also need to use one of the following methods to meet your data protection requirements: File system and share access control lists: This would be using the access control mechanisms in the offering to ensure appropriate restrictions on the data. This would be used in all cases, but it would not protect from malicious IT staff at the provider. Page 4 of 9

5 Is Your Data Safe in the? : Tactics and Encryption with a mixture of public and private key solutions: This would most likely be used to protect against malicious IT staff at the provider. Transport level encryption: This would be used as a matter of course whenever sensitive information was being passed or transmitted. In closing I strongly insist that everyone classifies their data. Once that is done, there are a couple of cloud issues you need to think about: Is my data stored where is should be? If there are any physical location limits, are those met? Am I protecting against malicious IT staff? The rest should be basic security practices, much like those used in your non-cloud environment. There is nothing obscure about securing data in the cloud. Just remember that "good security is good security" and you should be good to go. : Tactics and By: Bill Kleyman Data security is a concern for any enterprise, and cloud computing often can magnify security anxieties. Adopting a few ground rules will help protect users, their data and your overall cloud investment. The list of security concerns with cloud computing may seem lengthy. In reality, though, cloud security tactics can fall into two main categories: partner-based security or security for Software as a Service, Platform as a Service or Infrastructure as a Service models and end user-based or clientbased security. Here are a few guidelines for securing a private or public cloud. Page 5 of 9

6 Is Your Data Safe in the? : Tactics and Strategically plan your cloud security. Every environment is unique. Give careful consideration to how corporate workloads should be delivered to end users. Placing security at the forefront during the initial planning phase creates a solid foundation and allows compliance-conscious organizations to create a resilient and audit-ready cloud infrastructure. Pick your cloud vendor wisely. According to the Security Alliance, data loss and leakage are the top security threats of cloud computing. It's crucial to choose a cloud partner that can protect your enterprise's sensitive data. When evaluating a cloud partner for corporate IT services, make sure the vendor has experience in both IT and security services. Verify that cloudready risk mitigation is part of the provider's common security practice. And evaluate only cloud providers that have a proven track record integrating IT, security and network services and can provide strategic service-performance assurances. Formulate an identity management system. Every enterprise environment will likely have some sort of identity management system that controls user access to corporate data and computing resources. When moving to the public cloud or building a private cloud, identity federation should be a major consideration. A cloud provider must be willing to integrate an existing identity management system into its infrastructure using identity federation or single sign-on (SSO), or provide its own identity management system. Without this, environments create identity pools in which end users must use multiple sets of credentials to access common workloads. Protect corporate data in the cloud. In a secure IT organization, data from one end user is properly segmented from that of another user. In other words, data at rest must be stored securely and data in motion must move securely from one location to another without interruption. Reputable cloud partners have can prevent data leaks or ensure that unauthorized third parties cannot access data. It's important to clearly define roles and responsibilities to ensure that users -- even privileged users -- cannot circumvent auditing, monitoring and testing, unless otherwise authorized. Page 6 of 9

7 Is Your Data Safe in the? : Tactics and Develop an active monitoring system. Enterprises must continuously monitor data in the cloud. Performance bottlenecks, system instabilities or other issues must be caught early to avoid any outages in services. Failure to constantly monitor the health of a cloud environment will result in poor performance, possible data leaks and angry end users. Organizations that are cloud-ready must plan which monitoring tools to use and how often they must track and monitor data. For example, a company pushing a virtual desktop to the cloud may be interested in the following metrics: SAN use WAN operation Networking issues or bottlenecks Log-in data, i.e., failed attempts, lockout information Gateway information o Where are users coming from, is there suspicious traffic coming into the private cloud o How are IP addresses being used? Is internal gateway routing functioning properly? After that, you can implement manual or automated procedures to respond to any events or outages that occur. It's very important to understand the value behind actively monitoring a cloud solution. By constantly keeping an eye on the cloud environment, IT administrators can proactively resolve issues before an end-user can notice them. Establish cloud performance metrics and test regularly. When researching a cloud service provider -- for public cloud or private cloud -- check that the vendor presents a solid service-level agreement that includes Page 7 of 9

8 Is Your Data Safe in the? : Tactics and metrics like availability, notification of a breach, outage notification, service restoration, average resolution times and so on. Regular proactive testing will remove a great deal of security risks or potential for data leaks. Even though your cloud provider conducts testing, it's imperative to also have internal test procedures in place. IT managers know the environment -- and its end-users' demands -- best. Inconsistencies or irregularities in how cloud-based workloads are being used can lead to security breaches or data leaks. Next steps: Identity federation in the cloud Thorough security tactics must be in place, starting from the host level and continuing all the way through the cloud infrastructure and to the end user. There are several tools on the market to help enterprises secure an investment in cloud computing. Identity federation, for example, helps take credential management to the next level by securing a cloud infrastructure. computing offers great benefits to those environments prepared to make the investment, as long as they make wise and well-researched decisions when evaluating cloud security options. Page 8 of 9

9 Is Your Data Safe in the? : Tactics and Free resources for technology professionals TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. What makes TechTarget unique? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers all to create compelling and actionable information for enterprise IT professionals across all industries and markets. Related TechTarget Websites Page 9 of 9