At some point, I must have drunk the Cloud Kool-Aid. I find that despite my best efforts, I no longer develop the sinking feeling in the pit of my stomach when someone mentions “Moving to the Cloud.”
This doesn’t mean that I get all warm and fuzzy inside, but I am now able to listen to the conversation without the very loud voice inside my head saying “NOOOO, NOT THE CLOUD.”
I guess that it is a sign of the maturing of the process (or insanity on my part) that has allowed me to move from “it can’t work” to “how can we make it work.”
In my mind, security in the cloud is not one thing that you do, it is many different pieces that, taken together, provide a secure environment for your data.
As I see it, your starting point is the contract you sign with the cloud vendor. You need to work with your lawyers and purchasing staff to make sure that any data stored is where you want it stored, and detail what will happen to it if the company goes belly up.
You need to understand how you will get your data back if you decide to move it, and who will be looking at it. Do you need to sign a BAA (Business Associates Agreement)?
How can you encrypt the data (and own the encryption keys)? The contract is the beginning of the process and a key factor in the success or failure of the project – and it is your only fallback if things go south.
Once you get your contracts resolved, then it is time to work on securing your important data. Some of the issues to think about:
Is your data exposed on the Web?
We started moving our email users to Google several years ago. We wanted to make Google Drive available, but we were worried that someone could put sensitive data in a shared document and create a security breach.
In order to mitigate this risk, we are using a product (CloudLock) that looks at the data in our Google domain and removes the shares from any file containing sensitive information (as defined by our Data Classification Policy – did I mention that you need one of these?). CloudLock lets me slow down stupid in the Cloud. (Read more on You Can’t Stop Stupid: Security In the Academic World)
Is your data backed up somewhere else?
My worry here is that if all of your crown jewels are in the cloud, and that vendor goes out of business, you may have to wait a really long time before you get access to your data, or worse, it may just disappear.
A worse case would be if someone gets access to your account and decides to erase all of your data, you may be in big trouble. This did happen to codespaces.com – they were a completely cloud-based company and now no longer exists; someone broke in and destroyed their infrastructure and data, including their backups.
How are you protecting the keys to your kingdom?
Which brings me to my next concern – controlling access to your cloud infrastructure. If you are depending on an ID and Password to control access to your entire business, you may want to think about this a little more. One well-placed key logger and all of your hard work is now in the hands of a bad guy.
Two factor authentication should be your minimum protection against un-authorized access. The codespaces company was taken down by someone who got hold of the administrative passwords to their AWS instance.
This is not an exhaustive thesis on Cloud security, but I hope that it gives you a jumping off point.
I believe that it is possible to score big wins by judicious use of the Cloud in your business. Security is an essential piece of the puzzle and you need to understand that details of securing your data are still up to you. The Cloud will be coming to your business, with or without you. Remember Resistance is Futile – the Cloud is coming.