Today in this series, we are going to discuss most critical business asset of any organization and that is data. Data security and protection is the primary concern of top management and is often key driver while addressing security of both on-premise and off-premise infrastructures.
But, to begin with, let us list down our 10 steps to cloud security as defined by Cloud Standards Customer Council.
Ensure effective governance, risk and compliance processes exist
Audit operational and business processes
Manage people, roles and identities
Ensure proper protection of data and information
Enforce privacy policies
Assess the security provisions for cloud applications
Ensure cloud networks and connections are secure
Evaluate security controls on physical infrastructure and facilities
Manage security terms in the cloud service agreement
Understand the security requirements of the exit process
We will discuss the step 4 – Ensure proper protection of data and information.
Data security has always been critical piece of any information security program. But with cloud computing, it brings more challenges because of shared responsibility model and secondly, the distributed environment of the cloud computing.
Let us start with understanding forms of data and risks associated with it. When we consider cloud computing, there are two forms of data which needs to be protected – Data-at-rest and Data-in-transit. There is a theoretically third one as well which is data-in-use but it is most used when discussing endpoint protection.
Term, Data-at-rest, is mostly used for data which is held in some form of storage and data-in-transit means data which transferred over some communication link.
Some of the major risks associated with data are:
Theft or unauthorized disclosure of data
Tampering or unauthorized modification of data
Loss or unavailability of data
Keeping data longer than needed / E-discovery
Insecure disposal / destruction of data
Although above risk looks like generic risks but each one can have catastrophic consequences in case of security incident.
So, how do we secure data in cloud? Let us first discuss some important considerations that need to be kept in mind and then we will discuss security controls.
Following are some important consideration when designing data security:
Data identification and classification – Identify all data and consider all forms of data whether it is structured data or unstructured data. There is lot of sensitive information stored in unstructured data such as scanned documents, files, pictures and multimedia. You should identify and clearly document data owners. Data classification should be based on financial value, legal requirements, location and sensitivity. Inter-relationships between different data should also be documented
Privacy Considerations – There are so many privacy laws with different jurisdictions and more countries are making laws to data privacy. It is very important to have procedures regarding handling of PII and PHI.
Security Logging and monitoring – SIEM plays a very important role in cloud environment and you need to make sure all security logs are collected and reviewed. Procedure on digital forensics in case of security incident should also be documented.
Data Activity Monitoring – Data handling activity should be monitored. It should log data access, data change, data copy, data file name changes, data classification changes and even data ownership changes.
Now coming to security controls, CSA in its security guidelines v4.0 has categorized data security controls broadly in 3 categories:
Controlling what data goes in the cloud (and where)
Protecting and managing data in cloud
Enforcing Information lifecycle management policy
There are large number data security controls which can be implemented. I would like to discuss here two of them which I think are absolute necessary in cloud environment. They are Data Loss Prevention and Encryption
Data Loss Prevention
Referred to as DLP in short, it describes controls put in place by organizations to make sure that certain types of data (structured or unstructured) remain under teir control. They can be both network-based or host-based. They provide excellent way to monitor data going out or coming into the cloud infrastructure. However, if come applications or API encrypts some portion of data, DLP may not be able to inspect that.
One of the most trusted security control in the cloud, encryption is used in various ways to make sure data is secured. It is used to encrypt both data-at-rest and data-in-transit.
For data-at-rest, there are different ways of encrypting data depending on the service. I would not go into details how data is encrypted but following encryptions are used:
IaaS: For volume storage encryption, instance-based encryption or externally managed encryption is used. For objects and file encryption, three methods used for encryption used are client-side, server-side and proxy encryption.
PaaS: Database encryption and application layer encryption are two methods of encryption in PaaS service model.
SaaS: Data in this service model are encrypted through provider-level encryption or proxy encryption.
As far as data-in-transit are concerned, encryption is used through SSL and IPSEC.
One of the most important aspect of encryption is Key Management. As a thumb-rule, you should always make sure that keys are separated as far as possible from the encrypted data. There are number of options available to do key management like use of HSM/hardware based appliance or virtual/software based appliances. Cloud service provider can also provide key management but one should be careful when selecting this option to prevent key exposure.
There are other data security controls as well like Enterprise Rights Management(ERM), Data Masking etc. Traditional controls like backups and business continuity also remain relevant. A strong authorization policy, managing data locations and ensuring compliance also helps in long way in maintaining confidentiality, integrity and availability of data in the cloud.
Lastly, I would like to say that data security is a huge and critical subject when it comes to cloud security and in no way, I would like to say that the points covered above are exhaustive in nature.