Thales Blog

Cloud Security – Just Build It In

March 20, 2014

It isn’t any surprise that Cloud Security is still at the top of every Enterprise’s concerns about using cloud resources and services.  Since the inception of cloud services, security has been a top concern, and one of the reasons that the largest investments by enterprises to date have been private cloud related.  That hasn’t stopped lines of business from using cloud services without authorization, or stopped enterprises from putting their “toe in the water” with non-critical projects, limited SaaS applications and more.  Gartner is even predicting that half of large enterprises will have a hybrid cloud implementation of some sort within three years.

But it is also true that they’d love to do more, and can’t without adequate reassurance and more security controls.  Next month we’ll be releasing details of a survey recently completed by Vormetric that details enterprise concerns around cloud, and also the visibility and security controls they need to be able to increase investment. Look for a blog from me around this time next month for complete details.  For the data side of the security equation, one suggestion has been to consistently encrypt data for any type of cloud solution – SaaS, IaaS, PaaS, and to have enterprises control their own keys and data access.

It’s interesting that one use case that didn’t surface frequently a year ago is now a real driver for this – Keeping disclosures to government agencies under the control of the enterprise.  Here’s how that works.  If your cloud or SaaS provider encrypts your data and controls the keys, they can be compelled to provide them to a government agency without notification to your organization.  If you control the keys to your data, that government agency can’t do this at arms length.  You’ll know that they want to access your data, because they will have to ask you for the keys.  This also creates a barrier to other possible exposures at the cloud provider due to a compromise of their infrastructure, security management accounts, or work by a third party

For enterprises using ‘Infrastructure as a Service’ cloud services it’s an obvious solution.  Solutions that can keep your keys to encrypted cloud data locally within your enterprise environment are available today (including a great solution for this from Vormetric).  Access controls to accompany this are the next part of the requirement – and should be integrated with the local system roles for your instances as well as with any Identity and Access Management solution in use for the cloud environment.  The last piece of the data protection equation is to monitor the actions of your users within the cloud environment, looking for patterns that may indicate that their account has been compromised.

What makes the most sense, is for new cloud services to be built with Security as a number one priority by Service Providers, for existing services to extend their security postures with strong controls, and for enterprises to have strict guidelines about what is acceptable.  The people over at the Cloud Security Alliance have already done much of the homework for the rest of us.  Take a look at their cloud controls matrix as a good starting point (Full disclosure … Vormetric is an active member of CSA) for both evaluating cloud providers, and for implementing your own controls as a cloud using organization.

In a trend that you’ll see more of moving forward, smaller and medium organizations are already viewing implementations like Amazon Web Services or Google Compute Engine as more secure than those that they can create internally.  And for those service providers who are targeting the largest of the enterprises or government sector, look for continued innovation in their data security capabilities where they'll be offering their customers the ability – either managed or unmanaged – to control their own keys and data access policies.