Articles and blog posts associated with security and cloud computing are a daily occurrence, unless some well-publicized breach occurs in the cloud. At that point the number of commentaries and discussions will increase exponentially, and then, over the following week, return to normal frequency. I decided to focus on security as it relates to cloud storage, to see if something really new and different is occurring, and if overall changes need to be contemplated, as it comes to classic data security activities. When I focused in this way, I quickly discovered that not much has changed, and security of data in the cloud is highly dependent on the same precautions and understandings as security of your data in a private data center.
In this recent article, it was suggested that files of one owner residing on a physical device with the files of others could somehow result in unauthorized access. It could, and the answer to this and a myriad of concerns fits within traditional approaches and understandings of security. For example, Mezeo encrypts all files prior to storage. So, even if you somehow got access to another’s file, it would do you no good. My point is that the cloud introduces a few additional complications, but it is not a problem that the current level of speculation seems to portray it as. An extension to typical security practices, diligence, effective execution and audit of your current practices is what is required.
With this underlying theme, we look at how best we can ensure the security of the data in the cloud. Let’s look at five areas that you should consider in regards to storing data in the cloud.
1. Physical Security: First, understand some things about the data center that is hosting the cloud where your data is stored:
- Is the data center physically secure?
- What about it’s ability to withstand power outages?
- For how long?
- Are there multiple, independent (on different grids) electrical power paths?
- How are communications facilities enabled and where does the fiber enter the facility?
- How many communications providers have a POP (point of presence) at the facility?
- How is the data center certified (SAS 70 Type II)?
World class data centers are expensive, and they are also well
understood. What is the tier rating of the data center? (Tier IV is
best). Make sure you do business with a cloud storage service provider who makes use of such facilities.
2. Data encryption: Encryption is a key technology for data security. Understand data in motion and data at rest encryption. Remember, security can range from simple (easy to manage, low cost and quite frankly, not very secure) all the way to highly secure (very complex, expensive to manage, and quite limiting in terms of access). You and the provider of your Cloud Storage solution have many decisions and options to consider. For example, do the Web services APIs that you use to access the cloud, either programmatically, or with clients written to those APIs, provide SSL encryption for access, this is generally considered to be a standard. Once the object arrives at the cloud, it is decrypted, and stored. Is there an option to encrypt it prior to storing? Do you want to worry about encryption before you upload the file for cloud storage or do you prefer that the cloud storage service automatically do it for you? These are options, understand your cloud storage solution and make your decisions based on desired levels of security.
3. Access Controls: Authentication and identity management is more important than ever. And, it is not really all that different. What level of enforcement of password strength and change frequency does the service provider invoke? What is the recovery methodology for password and account name? How are passwords delivered to users upon a change? What about logs and the ability to audit access? This is not all that different from how you secure your internal systems and data, and it works the same way, if you use strong passwords, changed frequently, with typical IT security processes, you will protect that element of access.
4. Service Level Agreements (SLA): What kind of service commitment is your provider willing to offer you? Are they going to be up 99.9% of the time or 99.99% of the time? And how does that difference impact your ability to conduct your business? What is the backup strategy that your cloud provider uses, and does it include alternative site replication? Do they use one at all, or is backup something you have to provide for? Is there any SLA associated with backup, archive, or preservation of data. If your account becomes inactive (say you don’t pay your bill), do they keep your data? For how long? Once again, realize that there are different services, with different features, at different costs, and you get what you pay for.
5. Trusted Service Provider: The trusted service provider is a critical link. Unlike your in-house IT department, you are now putting your trust in a 3rd party. You must feel confident that they will do what they say they will do. Can they demonstrate that the safeguards they claim are indeed delivered? What is their record? Do you have a successful business relationship with them already, and if not, do you know of others who do? Remember, are they in business to serve business, or is it simply another service that they offer, focused first on cost per gigabyte, versus service and support. This is where many IT service providers have made their living, providing world class service and support, along with effective, efficient, low cost infrastructure.
So what has really changed? More than anything it is a heightened awareness of the need for security. Security is delivered on a sliding scale, and the result you achieve is based on well understood principles.
Of equal interest are the legal implications
associated with hosting your data at service providers. You can extend
the notion of security to access by various government entities,
depending on where your data is hosted. While the focus of this post
has been associated with preventing unauthorized access, this is yet
another consideration associated with where your data is stored.
Sure, cloud storage requires that you add some additional and/or different considerations to your evaluation and monitoring process, like understanding your service provider versus your own IT department. The IT Service Providers know and understand the importance of this. Most will step up and ensure that they deliver excellent service to you and become your long term Trusted Partners. Those that don’t will fall by the wayside.