Going Virtual: The Security Considerations of Public vs. Private CloudTravis N.
Cloud computing can bring significant benefits to your IT operation, but it can also carry some security risks, so organizations need to understand how they can take advantage of all it has to offer without putting their data at risk. This article describes how to develop a cloud-based computing strategy that mixes scalability with security.
Two main factors that attract companies to the cloud: the first is its potential for cost efficiency. Eliminating the capital expenditure on local servers can free up money for other IT projects (although companies shouldn’t underestimate the hidden costs of migrating to cloud infrastructure and managing it).
The second potential benefit is flexibility. Companies can scale their computing resources up and down in line with demand. This flexible approach to provisioning computing and storage resources can make the business more agile.
Data Dangers in the Public Cloud
However, moving data into the public cloud from your private cloud carries some security risks. One of the biggest is accessibility to your data.
External intruders may gain access to a cloud service provider’s systems and then relatively easily get access to your data. Another often-overlooked danger for customers using public cloud infrastructure may be the service providers’ own employees.
Insider threats are a problem for all companies, including those hosting customers’ data in the cloud. Insiders could steal your data maliciously for profit or place it in danger unwittingly.
That’s what happened in 2014 when hackers attacked Code Spaces, a company offering cloud-based management of software developers’ source code. It hosted its customers’ data on Amazon Web Services™ (AWS®), but didn’t encrypt the data or manage its administrative account well enough. Hackers gained control of its Amazon® dashboard and deleted its customers’ data, effectively putting it out of business.
Unless you can apply the same security policies to your data in a public cloud environment as you can in a private on-premises cloud infrastructure, you may have concerns about moving your data across. A 2016 survey by the Cloud Security Alliance revealed that more than two-thirds of respondents (67.8%) saw this inability as a key obstacle to cloud migration.
Security Solutions for Public Cloud
There are ways to mitigate the cloud security risk. The first and most fundamental involves properly vetting the provider. There are a couple of frameworks to help with this task. ISACA®, a nonprofit industry organization that promotes effective IT governance and controls, suggests the ISO/IEC 9126 standard (“Information technology—Software product evaluation—Quality characteristics and guidelines for their use”). This is primarily aimed at assessing software product quality but has merit for evaluating SaaS and other cloud services, ISACA says.
Another popular evaluation tool is the Cloud Security Alliance®Security Guidance, which includes a framework of questions for cloud security providers called the Cloud Controls Matrix.
Complement these due diligence measures with controls on the technology side. You can help protect your data by encrypting it at rest on a cloud provider’s servers, shielding it from prying eyes. A related technology is tokenization, which substitutes unique tokens for sensitive information in data records. The tokens serve as a reference to the actual data, which is held elsewhere in a protected environment.
In some cases, this tokenized sensitive data may be held on servers located on a company’s own premises. In others, a cloud access security broker (CASB) can store personally identifiable information (PII) in its own token vault.
The CASB can be a powerful ally when building out a cloud-based data storage strategy. It acts as your online gatekeeper, providing additional services, such as data leak prevention (DLP), that stops inappropriate data making its way from your network to a cloud service provider’s system. It can also enforce security policies based on how you have classified your data.
Data classification is an important part of the cloud storage challenge. It will be difficult for companies to know how and where to store data unless they understand what it represents and how it relates to their business processes.
Use data classification tools to ‘tag’ data with information, including its sensitivity level, who created it, who is responsible for it, and how long it should be kept. Based on this information, you can better decide whether to keep it safely on your premises or send it to the cloud.
Armed with these techniques, companies can take advantage of cloud computing without sacrificing security. In a world where privacy regulations are pressuring companies to be increasingly vigilant about data protection, a little forethought when planning your cloud security strategy will go a long way.
Danny Bradbury has been a technology journalist since 1989. He writes for titles including the Guardian® newspaper and Canada’s National Post®. Danny specialises in areas including cybersecurity and also cryptocurrency. He authors the About Bitcoin website and also writes a regular blog on technology for children called Kids Tech News. You can follow Danny on Twitter® at @DannyBradbury