Pinning Down Enterprise Data Security in the Cloud
For a business of any size, moving any portion of IT operations to a cloud provider means you're putting your data in its hands. Can it protect your data from criminals and accidents as well as or better than you can? A thorough examination of both your own operation and your prospective provider should be undertaken before jumping to the cloud.
May 18, 2009 4:00 AM PT
As a growing number of enterprises transition to cloud computing, the use of the term "cloud" becomes more appropriate by the day. Just as natural clouds foreshadow weather events ranging from calm to stormy, cloud computing presents enterprise security professionals with a host of difficult challenges. However, no matter how many challenges arise, cloud computing is here to stay as part of the information-driven world environment that all enterprises work within today.
With a global recession currently under way and an unpredictable business climate for the foreseeable future, increasing financial demands on decreasing enterprise revenue will make the cost-efficiency of cloud computing and data storage all the more attractive. Equally attractive is the potential increase in the security of proprietary enterprise data. However, if not carefully executed, the desired short-term fiscal benefit of moving enterprise operations to a cloud system has the potential for costly long-term security risks.
Therefore, any enterprise considering a transition to cloud computing is well-advised to thoroughly assess a range of security issues in order to avoid a data security breach that could prove costly to the enterprise's financial and reputational bottom lines.
The Weakest Link
At the outset, all enterprises must understand that there is no information technology system that is completely secure. All security systems are only as impenetrable as the weakest link involved in the concept, design, implementation and execution of the system. More often than not, the weakest link will result from human error or human malfeasance from within the enterprise itself or the cloud system provider enlisted by the enterprise. Consequently, as with all enterprise IT security systems, cloud computing is vulnerable to human frailty.
In addition to security threats that emanate from within the enterprise or the cloud system provider, ongoing threats from cyber criminals seeking to exploit the cloud will grow exponentially with the expanded use of cloud systems. Cyber criminals, including international organized crime and nation states conducting cyber espionage, will increasingly target cloud systems because of the amount of critical enterprise information potentially available from a single breach of a cloud system.
There are also associated risks of inadvertent loss or exposure of data maintained within a cloud system as it is distanced from the immediate control of the enterprise. Recent examples of the potential for unforeseen consequences:
- The FBI's seizure in early April of servers at a Texas data center containing data belonging to innocent enterprises that shared the server cabinet with the organization under investigation.
- Cloud-based services losing data or going out of business, as happened last August to an online storage service called "The Linkup" while still in possession of critical customer data.
Because of the inescapable risks of cloud computing, every enterprise must determine the security needs unique to that enterprise in order to evaluate the level of risk it will confront with a move to a cloud system. To determine for an individual enterprise whether cloud computing is more secure than traditional information technology security practices, multiple factors must be considered.
For many organizations, the two critical factors in the decision-making process are the level of staffing and financial resources available to IT security, balanced against the level of security needed for the types of enterprise information that must be protected.
What Are Your Demands?
No two enterprises have the same security requirements or resources. A decision to move to a cloud service should only follow an objective assessment of the enterprise's security demands. Once that assessment is in hand, an informed decision can be reached -- with security given due consideration in the decision.
All things being equal, many small and mid-size enterprises with limited financial resources available for IT security will find improved security with a move to a reputable cloud service, as the cloud provider will have the ability to provide a level of security smaller enterprises may not be funded or staffed for.
Keep in mind that security within the cloud will only be as good as the chosen provider, and it will therefore be incumbent upon the enterprise to still take precautions. In fact, while it may seem counterintuitive, an enterprise that moves to the cloud should take many of the same precautions appropriate for non-cloud systems.
Above all else, plan for the worst. Assume that even with the best security available, there will be a breach at some time in the future.
Regularly review the totality of the data that is maintained in the cloud. Minimize the exposure of data by removing data that is not required for the day-to-day operation of the enterprise. Also, be certain that frequent and regular inventories of data in the cloud are maintained outside of the cloud. That way, in the event of a breach, you will know what was lost or exposed as a result of the breach.
Further, just as you can't determine whether a traditional IT system is secure absent independent testing, the same is true with cloud systems.
Insist that your cloud provider allow for independent penetration testing of the system with a reputable security firm to determine if the cloud is secure. While the cloud provider will offer assurances that the system is indeed secure, it is the financial well-being and reputation of your enterprise that will suffer in the event of a security breach. Clients and regulators don't care who is ultimately responsible for a breach -- they will hold your enterprise responsible.
If the worst happens and you are the victim of a security breach that compromises your enterprise's data, have your service provider take immediate action to protect the breached server as a possible crime scene, and immediately notify all appropriate law enforcement and regulatory agencies of the breach in order to obtain their guidance on when you may notify clients that are impacted by the breach.
It is always preferable to notify clients as soon as the breach is detected, but it is not unusual for law enforcement officials to request a delay in public disclosure of the breach until they've completed their investigation. As soon as the officials in charge of the investigation allow it, make public disclosure quickly and completely, by providing as much information as possible about the breach method and what data was placed at risk.
There can be no doubt that cloud computing is the wave of the future for enterprise IT. While risks found in traditional IT systems may also be found within cloud systems, the reduced hardware, software and IT labor expenditures, coupled with potentially increased security provided by a dedicated and reputable cloud provider, may outweigh the dangers.
Still, the risks associated with cloud computing must be objectively assessed by every enterprise before deciding to undertake a transition to cloud computing.
Rob Douglas is the editor and information security consultant for IdentityTheft.info. He can be reached at Rob@IdentityTheft.info.