The latest iCloud photo leak news makes for interesting conversation – both with friends and family as well as business leaders. Yet not surprisingly, many are entrusting their digital lives and their business with something they know very little about.
Is this the epitome of trust? Just do what others did; it’ll be fine? This is not about whether the cloud is good or bad or whose fault it is for the latest blunder. Rather, what’s the process of moving data to the cloud? What data is stored? Who decides? For the sake of argument, let’s skip consumer options since that’s a different conversation, and jump to the enterprise.
The cloud as a business tool provides benefits such as elasticity, on-demand availability, convenience, cost-effectiveness, and efficiencies. No more waiting for IT to provision something which will take two-weeks when it can be done in minutes; with a credit card. Where is the business and technical teams in this process? This question isn’t suggesting that teams are not collaborating, but rather, what’s the process look like?
Security teams are interested in control, privacy, and trust. Is the business? Yes, likely, assuming they know more about the topic and the options available. Or, is there a trust, but don’t verify, just get it done mindset? Let’s face it, businesses care. Leaders care a lot about their data; they just don’t always know the risks and what controls are available. This is where the collaboration between security and the business should take place.
For starters, moving to the cloud should address:
- Communication: Technical teams and business units need to have proactive discussions about needs vs. wants, and timeframes to get there.
- The Data Involved: What is the data? Is the data regulated? What are retention requirements? What about access requirements and logging?
- Third-Party Due Diligence: Trust but verify the cloud service provider (CSP). It sounds simple, but is easy to neglect. Keep in mind; this is not a one-and-done level of effort. Depending on the criticality, this is even more than once per year – think continuous monitoring depending on the circumstance.
- Before a PoC: Long before the first data exchange, what’s the decommissioning and destruction process look like if a contract is not executed?
- Can the CSP View Data?: Can the CSP see the data? How would you know? Has anyone looked into encryption offered by the CSP or add-on solutions?
- Who Manages the Encryption (if any)?: Does the CSP manage the keys or does the business? (solution provider examples below).
- What if Data is Subpoenaed?: If the CSP manages the keys and the data is turned over upon subpoenaed request, where does this leave the business? The ability to control what is handed over is a significant problem if the business does not own the keys, which means the CSP can turn over whatever they’ve been requested to and the business may have little room to help manage the situation.
Once these issues are discussed, security teams will have a better chance of being a security business enabler. With some of the more public events which have occurred lately, it begs to ask the question as to what additional controls a business is looking to undertake.
One area which is getting more attention stems from one the of the initial discussion points; encryption. Many CSPs offer encryption of data at rest and in motion, but in use is much harder. Granted, in many situations at rest and in use may very well be an improvement to what the business is capable of doing today in their own data center.
It’s not uncommon to see a business gain some additional encryption benefit by choosing a CSP because this was not dealt with internally, especially with legacy systems and concerns about performance, recoverability and key management.
If the business wants to take matters into their own hands, than they will need to look into encryption options where the business is responsible for key management rather than the CSP. This decision depends on the data involved, its sensitivity, and risk appetite with whoever the CSP is. Vendors in this space are evolving and the idea is to allow businesses to place their data in the cloud and then have control as to who can see the data. While not an exhaustive list, here are some vendors in the space of cloud data encryption:
- SafeNet – HSM for Amazon
- Skyhigh Networks
At the end of the day there are a lot of moving parts to a successful migration of data to the cloud. The various IaaS, PaaS, and SaaS offerings provide businesses the power of choice. Furthermore, many of the security vendors in this space provide the opportunity to regain some control. At least for starters, engaging teams and business units need to take place to address key concerns and make sound decisions based on what is known.