Cloud computing is frequently presented as the future of how will interact with our data. More and more systems are moving to the various service routes, from software (such as google docs and gmail) to lesser known options such as “platform as a service.” There is almost nothing that is not available as a service over the internet. (For example, HP offers “everything as a service”)
The business drivers for the cloud are pretty well known now – reduced overheads, scalability, continuity & disaster recovery etc. – and for lots of organisations this trumps the massive range of security concerns.
The most overlooked of which is that while you can outsource the process for protecting your corporate data you can never truly outsource the responsibility. If your cloud provider mess up (i.e. they hire a negligent or malicious employee) it is your data and reputation that is at risk, even if you have a strong enough contract to pass off any fines (and what do you do if the provider simply folds as a result?)
From a security assessment perspective, it is normal to assume you would have some form of encrypted connection to the provider (protecting your data in transit) but it is harder to work out what will protect your data while it resides on the cloud providers servers.
Encryption is the normal standby, but this is not without problems. If you encrypt large blocks of data it makes maintenance, backup and recover all but impossible. If you encrypt at a file level then it becomes cumbersome and again the cloud provider may not be willing to support the service in that state. Lastly, where do you store the encryption keys if all your data is on the cloud?
Recently, a press release from an Israeli company has claimed its has a product which uses encryption “so tough cloud providers can’t crack it”:
An Israeli company claims to have developed a product that provides such strong encryption that it could protect users so their knowledge and co-operation is required – if someone got a court order to access their data. …
The company’s key product, Porticor Virtual Private Data (VPD) offers its customers the ability to protect its range of applications by encrypting both data and the network in the cloud.
If it is effective, this could solve multiple issues in that it protects the data from the the user to the cloud and while it is on the cloud. This is not quite the “holy grail” of cloud security but it is certainly a step in the right direction. Without knowing how they protect the keys in the cloud, it is not possible to assess its value – hopefully this will come over time and the system will achieve an internationally recognised security certification.
There are no easy solutions to this and for some companies the risks will be outweighed by the positive business benefits, which explains why the take up of cloud services is so high. When you are looking for a security product always try to look past the press releases and see if the actual technology has been assessed by an independent agency to make sure it can do what it claims.
As always, the most important thing to do is identify and document your risks. Dont assume the cloud is either good or bad for your company until you have properly assessed what it offers and what you could lose. Without a risk managed approach, everything you do is guesswork.
If you want to discuss more about moving to, or from, the cloud or anything else related to ensuring your security & risk management strategies are cost effective and suitable then get in touch with Halkyn Consulting today and our specialist security consultants will be glad to help.