Data is at the core of IT security concerns for any organization, whatever the form of infrastructure (cloud or local) that is used. Cloud computing does not change this, but cloud computing does bring an added focus because of the distributed nature of the cloud computing infrastructure and the shared responsibilities that it involves. Security considerations apply both to data at rest (held on some form of storage system) and also to data in motion (being transferred over some form of communication link), both of which may need particular consideration when using cloud computing services.
The type of cloud service also affects the key question of who is responsible for handling particular security controls. For IaaS (Infrastructure as a Service), more responsibility is likely to be with the consumer (e.g. for encrypting data stored on a cloud storage device); for SaaS (Software as a Service), more responsibility is likely to be with the provider, since both the stored data and the application code is not directly visible or controllable by the consumer. Essentially, the questions relating to data risk for cloud computing are about: theft or unauthorized disclosure of data (confidentiality), tampering or unauthorized modification of data (integrity), loss or unavailability of data (availability).
Below are some key steps consumers should take to ensure that data involved in cloud computing activities is properly secure:
- Create a data asset catalog: A key aspect of data security is the creation of a data asset catalog, identifying all data assets, classifying those data assets in terms of criticality to the business (which can involve financial and legal considerations, including compliance requirements), specifying ownership and responsibility for the data and describing the location(s) and acceptable use of the assets.
- Consider all forms of data: Organizations are increasing the amount of unstructured data held on IT systems, which can include items such as images of scanned documents and pictures of various kinds. Unstructured data can be sensitive and require specific treatment ‐ for example redaction or masking of personal information such as signatures, addresses, license plates.
- Consider privacy requirements: Data privacy often involves laws and regulations (i.e, HIPAA) relating to the acquisition, storage and use of personally identifiable information (PII). This requires appropriate controls to be in place, particularly when the data is stored within a cloud provider’s infrastructure. These controls may restrict the geographical location in which the data is stored, for example, which runs counter to one aspect of cloud computing which is that cloud computing resources can be distributed in multiple locations.
- Apply the key security principles of confidentiality, integrity and availability to the handling of the data: Confidentiality of sensitive data can be achieved through encryption, both when it is stored on some medium and also when the data is in transit across a network ‐ for example, between storage and processing, or between the provider's system and a consumer user's system. Integrity of data can be validated using techniques such as secure hash algorithms. Availability can be addressed through backups and/or redundant storage, a failover strategy, resilient systems, and techniques related to the handling of denial‐of‐service attacks.
- Apply identity and access management: A key requirement for moving a consumer application to the cloud is assessing the provider's ability to allow the consumer to assign their user identities into access groups and roles that reflect their operational and business security policies. Cloud providers must allow the cloud consumer to assign and manage the roles and associated levels of authorization for each of their users in accordance with their security policies by providing a secure system for provisioning and managing unique identities for their users and services. Related to this, is the requirement for logging and security event management (e.g. the reporting of any security breaches) relating to the activities taking place in the cloud service provider environment. Note that the logs and reporting mechanisms are also in need of appropriate security treatment, to prevent a wrongdoer from being able to cover their tracks.
- Always ensure you understand your data security risks by partnering with a go-to security partner who will help you keep updated on the latest security threats and vulnerabilities to protect your data on the local network and the cloud. From risk assessments to security testing, to policies to security reviews, a trusted company is important in increasing your understanding of your security risks.
Mr. Tomas Santos-Alejandro is Advent Service’s VP of Operations and he can be reached at firstname.lastname@example.org. Advent Services (www.adventsvcsllc.com) specializes in Information Technology and Security services for government and private sector organizations.