We have all borne witness to the cloud promise by now. Cloud vendors offer instant and autonomic access to compute resources, deliver economic efficiencies, streamlining of business process and persistent, highly-available storage. I’m quite sure most of us have also read of the security challenges lurking behind this promise. As the physical boundaries of your data center disappear, the multi-tenant nature of the cloud introduces a seemingly murky environment of unknown neighbors and data privacy should be on the forefront of every security administrator’s mind. Looking deeper, I feel that a certain aspect of data privacy is often underrepresented. Let’s take a closer look at the issue of data motility.
I use motility rather than mobility because data just isn’t portable in the cloud -- it can get up and move on its own. Your information placed in the cloud will be available when you want it; you just won’t know where it’s living from one moment to the next. Take for example the Amazon EC2 claim of 11-9’s availability. (Yes, that’s right 99.9999999% availability!) This level of persistence all but ensures that your company’s critical information is replicated across at least three different data centers, the locations of which are very likely unknown to your storage and application administrators. The critical HR data you thought was located in an availability center somewhere in the Pacific Northwest on Wednesday evening is smeared across the continental United States or Europe Thursday morning. I certainly do not mean to focus wholly on our good friends in Seattle. Your own storage administrator could inadvertently make volume snapshots across company geographies for DR purposes or your server administrator could accidentally move virtual resources across political boundaries. All told, the cloud is beginning to make the protective borders of data centers irrelevant and is greatly reducing the amount of control one has over company assets.
The great convenience of availability and motility gives rise to important concerns. Simply protecting against “who” can see or steal your data isn’t enough, companies must now also protect against where resources are located. Several regions (Canada and the European Union to name two) have enacted very strict data privacy and processing laws that forbid the collection or processing of personal information beyond their boundaries.
So how can you protect yourself from the headaches that come from unruly and nomadic information? First, take a thoughtful and methodical approach to the information you store in the cloud. This should include a data lifecycle program that classifies the criticality, sensitivity and timelines of processes and information residing in the cloud. This can help companies avoid losing control of those truly important bits.
Next, conduct a deduplication program. Doing so will give you comfort about the number of sensitive documents in the cloud, help you destroy all necessary data when the time comes, and ultimately cut down on storage costs.
Most importantly, gain a thorough understanding from your cloud service provider of the level of influence you have over how your data is handled. Your SLA should clearly define the controls your CSP places around your assets. Seriously consider if you want to rely on an IaaS vendor that won’t attest to its processes, controls and procedures.
Lastly, when in doubt – encrypt! Standard 256-bit encryption of your storage volumes should deter the curious administrator or seasoned hacker from prying, thieving or simply poking around where they don’t belong. Encryption will also reduce the risk that repurposed storage devices could contain important information when volumes are vacated or when the associated drives are reclaimed for replacement.
Much more information on Trend Micro solutions for security in the cloud can be found here: http://bit.ly/bQOx0g