We’ve grown used to hearing about breach incidents on a daily basis, some of which involving the theft of sensitive details and files from cloud environments. Because cloud computing has transformed the way organisations and individuals approach IT, enabling more agile and cost effective ways of working, the type and volume of data hosted in cloud architectures has increased exponentially making it a target increasingly worthy of unwanted attention from threat actors.
From the point of view of protecting this data, the distributed nature of cloud computing makes security particularly challenging. Without very careful design and control, cloud environments can be difficult to audit and monitor.
- Have files been duplicated across the environment?
- Who exactly has access to those files and any copies of them?
- Do third parties, like cloud administrators of public cloud services have access to the data?
- Are there assurances about whether they will share their access with any other parties?
Specific security challenges pertain to each of the three cloud service models – Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Here they are with some general advice on security best practice:
- SaaS deploys the provider’s applications running on a cloud infrastructure; it offers anywhere access, but also increases security risk. With this kind of service model it’s essential to implement policies for identity management and access control to applications. For example, with Salesforce.com, only certain salespeople may be authorised to access well defined objects, fields and records within the environment. Tokenization and Data Masking applied via a cloud gateway are also core solutions to these problems for protecting sensitive data for SaaS applications.
- PaaS is a shared development environment, such as Microsoft Windows Azure, Salesforce's Force.com, or Google App Engine where the consumer controls deployed applications but does not manage the underlying cloud infrastructure. This cloud service model requires strong authentication to identify users, an audit trail, and the ability to support compliance regulations and privacy mandates.
- IaaS lets organisations and individuals provision complete computing environments as if they were deploying physical servers on an on-going or as needed basis. Everything required is available - Processing, storage, networks, and other fundamental computing resources and controls operating systems, storage, as well as complete application sets with multiple servers. As with Amazon Elastic Compute Cloud (EC2), the consuming organization does not manage or control the underlying cloud infrastructure. In this instance, data security is typically a shared responsibility between the cloud service provider and the cloud consumer. Data encryption, access controls, and data access monitoring information - without the need to modify applications - is a key requirement in this environment to remove the custodial risk of IaaS infrastructure personnel accessing sensitive data, and protecting organisations from compromises of their administrative accounts.
Compliance, regulation and protection from this on-going stream of data breaches are core drivers for the need to properly control access to data in the cloud, but vary widely with organisation type (financial and healthcare organisations, for instance, have specific needs), and the legal jurisdiction where the information originates. With the over 100 national data privacy regulations in place today, and compliance requirements for specific industries multiplying rapidly, organisations need to make a clear assessment of their needs as they make use of cloud resources.
More information and advice on securely transitioning to the cloud can be found in this Vormetric whitepaper. There will be several blog articles and relevant resources shared by Vormetric this month around the theme of cloud security so, if it affects you, be sure to check back regularly.