A recent post from ITWorld reporting on the Cloud Security Alliance (CSA) Summit meeting last week at RSA pointed out several unsettling facts for organizations using cloud resources:
- There is no certification of, or transparency into, the security of a cloud offering
- Cloud providers' first priority is to minimize the security impacts on themselves – customers take a back seat
- The chain of responsibility can be “clouded” – meaning your cloud application or infrastructure provider probably also uses additional resources from other cloud services (monitoring, management, hosting, billing, identity and other elements).
What this comes down to is that the security of your data is your problem, even when using a cloud service with specific data security commitments (though these are few and far between at the moment). Your organization — not your service provider — is accountable for the security of your data. You will need to protect your critical data as you decide what and when to transition services and applications from in-house, dedicated instances or virtual environments, to cloud hosted servers, or cloud applications.
Now, many enterprises are well past the point of implementing “less critical” elements in cloud environments – they’ve gone beyond demo environments, development - QA and test set ups, or simple file servers. Mission-critical applications and services are going in, production web environments and custom apps that represent critical IP. The reality of the unsettling facts about cloud providers discussed at CSA Summit, plus the advent of critical applications in cloud environments, means that enterprises moving to cloud-based implementations need to make data protection a core element of their cloud strategy.
The cloud usage case where enterprises can really master their data security today is Infrastructure as a Service (IaaS) – whether using a virtual private cloud or IaaS vendors such as Amazon, Savvis, Virtustream, Rackspace or others. Enterprises can take direct control of their data protection in IaaS environments through encryption and access control. Core elements of any solution to the problem must include:
- Common management – Management should be common with the rest of your enterprise data protection
- Transparent encryption – Data needs to be encrypted where stored with minimal performance impact on applications, business processes and users
- Local operation – Encryption needs to be local, with agents operating independently even when network connections fail
- Common access control – Access control should be able to be managed using the same policies, user roles and groups as you use inside of your organization
- Deployable technology – Encryption control, access and policies should be easily deployable as part of your standard cloud instances or provisioning processes
- Integrate-able elements – Elements must be able to work directly via APIs and interfaces with other management tools and applications
Vormetric meets these requirements with ease - encrypting file systems in local or cloud instances as needed, managing keys for database Transparent Data Encryption (TDE) in cloud database instances, and limiting access to allowed processes and users. Even cloud administrators, root, and domain administrators only see an encrypted “data brick” unless data security permissions allow them access. The solution meets the needs for common management, transparent encryption, local – disconnected – operation, common access control and easy deployability.
Vormetric also provides Security Intelligence by feeding access data into a Security Information and Event Management (SIEM) solution; logs capture attempts by unauthorized users and processes that can indicate an Advanced Persistent Threat (APT) attack as well as access patterns where unusual usage might point to a similar problem.
No matter what solution to these problems you employ, you must be ready to secure your data in cloud environments just as you would data stored locally. At the end of the day, you are responsible and will be held accountable.