I spend a lot of time these days speaking with people about embracing cloud technologies; and conversations quickly turn to the topics surrounding cloud security, cloud trust, and generally protecting assets in the Cloud.
These are not necessarily simple conversations to have, because they generally involve thinking about things differently. As you move from infrastructure as a service (IaaS) up the stack through platform as a service (PaaS) and then up to software as a service (SaaS), the facilities available to you and the security constructs you can build all vary.
As a result, the temptation is to either avoid the Cloud, brushing it off as “must not be as secure” or embrace it thinking “I moved to the Cloud so I have no security worries”. As is usually the case, neither extreme view is accurate.
Let’s start with three of the responsibilities you can never give away:
- Your data will ALWAYS be your data and your responsibility.
- Managing access control and user identities is always your problem.
- Incident response is also always your problem, although a provider may assist.
In the SaaS delivery model, you have no responsibility for security beyond the items listed above. You have no choice but to trust the cloud provider to deliver a secure solution from the data center through to the application layer. You can (and should) do the all the reference checking and legal and technical reviews possible, but at the end of the day there is no SaaS provider that lets you modify their code base or infrastructure implementations. You either use their service as delivered, or you do not. So how do you address these three basic responsibilities?
Your Data is Your Data
It really doesn’t matter where you put your data, or to whom you give copies: it is your responsibility to secure, and your consequences to manage if it falls into the wrong hands. But when you put data in the Cloud, you do have options:
- Trust the cloud provider’s protection mechanisms. Many cloud providers deliver a very strong security solution along with their product offering. The standard rules for security apply, which means you usually only want to provide “commercially reasonable” protection which seldom requires you to do anything beyond the stock service offer. Cloud or not, you do the risk analysis and decide if the protection offered is appropriate to the value of the data.
- Leverage encryption technology. Implementation varies drastically depending on specific SaaS platforms, specific IaaS solutions, and to virtual machines, but encryption technology can essentially be broken down to data in transit, data at rest, and data in use. Very few technologies currently allow for encrypted data to be computed on, but this is an expanding area worth watching. The more easily understood topics are data at rest and data in transit. For data in transit, the usual options present themselves to ensure secure transmission between user, virtual machines, and cloud services (think TLS, etc.). For data at rest, the options are always service-specific and sometimes very complex to deploy. The biggest question when deploying encryption solutions is just how much you want to trust the cloud provider with the encryption keys. Assuming the data needs to be decrypted to be used, you will have to provide the cloud service with the keys or unencrypted data at some point, even if only for a short time. This means that you need to decide whether you will keep the keys on your premise and share them only as/when needed or leverage a cloud provider’s security solution (such as Azure’s KeyVault based by Hardware Security Modules (HSM).
- Leverage data tokenization technology. Data tokenization is the process by which you keep your most critical data outside of the cloud service. In simplistic terms, you place a token where you’d normally need to place your data, and an additional agent uses that token to go to retrieve the real data only when it is required and when it is safe to do so. Solutions such as CipherCloud and Vaultive are good examples of data tokenization applied to various SaaS solutions such as Office365, SalesForce, and others.
Next week, learn more about how managing access control and user identities will always remain in your wheelhouse as a customer.
Other installments in this series: