Yesterday, Russia granted Edward Snowden one year’s asylum. This comes after weeks of being holed up in a Moscow airport, awaiting his fate. Snowden was a contract system administrator for the National Security Agency (NSA). With his access-level rights, he was able to gain access to extremely sensitive information such as XKeyscore, which the NSA describes as its “widest reaching” system for developing intelligence from the Internet. Just yesterday, he released more of the information he obtained from his time at the NSA.
This Snowden saga has highlighted the risk presented by privileged users and their ability to see data in the clear. But, what does this mean for the enterprise and their desire to go to cloud?
Simple: as enterprises look to take advantage of the cloud for increased agility in their business, a reduction in capex, scalability and all the other classic benefits of a cloud environment, they can learn from the Snowden situation the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise solution.
Enterprises must protect their data from (i) system administrators who don’t need to see the data in the clear and (ii) adversaries who become system administrators from stolen credentials. The Snowden situation reminds us why system administrators shouldn’t be given full access to data on-premise or in the cloud. And we’re reminded quite regularly in the news of various data breaches often resulting from stolen credentials of privileged users. So, what must enterprises do to protect themselves as they migrate to the cloud?
In short, enterprises must take control of their data: The best way to do this is by firewalling the data using fine-grained access controls and policies, advanced encryption and centralized key management. Without access controls, system administrators retain full visibility into the data – whether located in the cloud or on-premise. With a policy-based data firewall, privileged users are allowed user access to do their jobs of managing the data – but no more.
By instituting a data firewall, organizations can block access to the data from privileged user access and reduce the attack surface for adversaries paving the way for safe cloud adoption.
What sort of policies has your organization instituted to ensure a safe and secure path to the cloud?