On a Saturday morning a few weeks ago, I was at home having breakfast with my family around the kitchen table. Suddenly, in between eating and chatting about plans for the day, we heard something scurry across the ceiling. It sounded like a fast moving squirrel. Of course, my wife exclaimed that I needed to call an exterminator right away for immediate removal of whatever was crawling above us. I had a different idea. I thought with a trip to Home Depot I could tackle this problem myself.
Once at Home Depot, I found a dizzying array of products and contraptions for rodent control – everything from various poisons to electronic equipment to mouse traps to metal cages. Lots of products and options with various prices for what I thought was a relatively simple problem. I wanted to catch whatever scurried across my ceiling and let it go humanely, and identify the root cause – likely access to my attic through the roof somewhere.
On the drive home, after a few items purchased, I couldn’t help but to think about how a CISO might feel if she walked into a Home Depot equivalent store of enterprise IT solutions and services to help solve her data security concerns when moving workloads to the cloud. Imagine an isle dedicated to ‘Data Security Solutions’ with a multitude of products and services varying from web application firewall to identity and access management to encryption and key management to database activity monitoring solutions and so on. Where does one begin? Where’s the independent ‘data security’ specialist employee when you need help to sort through all the options and potential solutions?
I try to keep things simple when it comes to cloud security. There are three questions a CISO should ask of herself to improve her risk posture of securing data in the cloud.
- Who owns the data you’re trying to protect?
- Who owns and manages the key to the data?
- Who, what, etc. can decrypt the data and have access?
Let me expand.
Ownership of the data relies solely with the creator, and not the third party cloud service provider. Even if you have a solid contract between you and your service provider to manage liability upon a data breach, your customers assume you own the data regardless of any contracts. You’re responsible and with that responsibility carries the duty to use reasonable and prudent methods to protect the data. Don’t become the next Code Spaces.
As for key ownership, there’s basically two models to consider for encrypted data. Either you own and manage the key, or you allow your service provider to own and manage your key on your behalf. Each model has its own risks and that will depend on the level of risk and cost you’re prepared to take on. As a best practice, as the owner of the data, you should own and manage the key.
For access to the data, can you define who from your own enterprise and service provider can access the data in the clear? If privileged insiders, like IT administrators or even cloud service provider administrators, and business owners can access the data equally, the data just isn’t secure, even if the data is encrypted at-rest. Enterprise and cloud service provider administrators should not be granted access to the data, as they don’t need access to the data to do their jobs. Only business owners (and their IT applications) should be given access. Defining and controlling who and what can access the data is critical to any reasonable information security plan for protecting data in the cloud.
As a CISO, if you can provide answers in confidence to the above questions around your most sensitive and confidential information, you can rest a little easier. And if you can’t and find yourself walking down the isle of ‘Data Security Solutions’ at your local big box enterprise IT solutions store and confused by the volume of different solutions available for stronger data security in the cloud, don’t be.
For a robust cloud security solution, the key ingredients are straight forward:
(i) an extensible platform that provides data protection across multiple operating systems and data types (structured, unstructured) that can be managed through a single pane of glass,
(ii) encryption leveraging industry standard approved algorithms and centralized key management,
(iii) flexibility in deployment models – on-premise, off-premise, public, private or hybrid clouds – maximizing optionality for taking advantage of the cloud,
(iv) and, finally, the ability to restrict access to those personnel (and their IT applications) who only need access to the data – addressing the insider threat within your enterprise and cloud service provider.
Read the back of the box carefully before making the decision to purchase, and save your receipt after your purchase.
At Vormetric, we’re working with some of the largest enterprises, government and cloud service providers in the world to help defend data – on-premise and in the cloud. We welcome the opportunity to engage and discuss how we can help with your cloud security challenges – whether you’re a business, government, cloud/hosting provider, or managed service provider.
Let me know what you think or if we can help, you can drop me a note at firstname.lastname@example.org.
By the way, my roof had a broken vent pipe for which a couple of squirrels had discovered by taking advantage of a nearby tree from my roofline. I sealed the broken vent pipe, and then used a small cage to catch the squirrels in my attic and release them in my backyard.