Cloud Solutions Fact v Myth Blog Series

CLOUD SECURITY MYTH VS. FACT #1: MY PROVIDER PROTECTS MY DATA

If you’re in the process of creating a security strategy for your cloud deployments, then you understand the complexities that exist. The challenges presented by compliance, data governance, and emerging technology can create a conflicting and shifting front, and the security solutions that are built into cloud services may not provide sufficient control, transparency, or security to meet all requirements.

Unfortunately, your cloud provider will probably not tell you how to effectively approach data security. More likely, they will point to the few basic security tools built into their solution and wish you the best of luck. Why? Because they are not responsible for your data.

As a result, best practices for cloud security are not centered on your public or private cloud provider. They are more about people, processes, and technology. In this four-part blog series, we will dispel several cloud security myths and provide facts that will help you implement the right strategy and technology to keep your organization’s data secure in the cloud. Let’s get started.

Myth #1: Security offered by your cloud provider means your data is well-protected.

 Fact: Your cloud provider is responsible for securing the cloud infrastructure. You are responsible for securing you data, especially to and from the cloud.

Despite losing direct control of the data, an organization that utilize cloud services is still the data owner, and usually retains the ultimate responsibility to protect the data – not the cloud vendor. This could be discovered too late if an enterprise experiences a breach and loss of data, and only then discover that the agreement with the cloud provider do not hold the provider responsible. This is best illustrated by the shared responsibility model which customers of cloud infrastructure providers (e.g. AWS, Azure) agree to as part of their service agreement.

cloud security
AWS Shared Responsibility model: Customer is responsible for security “in” the cloud.

 

However, understanding your rights and data ownership is only part of the equation, as your brand will still suffer as a result of the data loss. Here are some other facts to consider:

CLOUD VENDORS HAVE ACCESS TO YOUR DATA

Perhaps the most important point to keep in mind when deciding to move your data to the cloud is that regardless of the security schema employed by the vendor, they will always have access to your data in one way or another.

In cases where the vendor is in charge of protecting your data, they will possess the passwords, encryption keys and whatever else needed to protect your data, and the customer will rely on the vendor to perform all security functions on their behalf. Obviously, this means someone on the vendor side will have access to your data in the clear. In addition, if a government comes knocking on the cloud service provider’s door looking for your data, they do not have to come to you to decrypt it.

CLOUD CUSTOMERS ARE NOT IN DIRECT CONTROL OF THEIR OWN DATA

As data moves into the cloud, the customer transfers control to the cloud service provider. In most cases, customers are essentially “publishing” data to the cloud, giving permission for the provider to copy or move data without notice to unknown locations – sometimes even unknown to the vendor themselves. This can lead to numerous compliance issues, most notably data residency. Meanwhile, the customer can request action on their data, such as protection or deletion, but it is up to the vendor to comply with the request. Data may never actually be removed from all cloud vendor servers, and the customer has no way to verify.

CLOUD CUSTOMERS ARE NOT ALLOWED TO VERIFY VENDOR SECURITY

Cloud providers typically don’t provide access to their physical infrastructure for audits. Instead, they rely on an honor system, and customers are not allowed to directly verify security. The standard practice of “trust but verify” in vendor data security does not apply to cloud data security. Not only does this leave potential for holes in security, but it often directly conflicts with internal data security policies and regulatory compliance requirements.

August 16, 2018

Is Encryption the Best Security for Data at Risk?

Whenever there’s a major data breach one of the first things everyone asks is, “Was the data encrypted?” This is a very natural question to ask because since the 1970s encryption has evolved in line with computing power and technology to offer relatively strong protection against brute force attacks. If given a choice between having your data protected with encryption or leaving it unprotected entirely, almost everyone would choose encryption. But is it really that simple?

In this four-part blog series, we dispel several cloud security myths and provide facts that will help you implement the right strategy and technology to keep your organization’s data secure in the cloud. In this second installment, we address whether encryption is the all-around best method for protecting sensitive data in the cloud:

Myth #2: Strong encryption is the best security for data.

Fact: Encryption is only effective if well controlled. The best encryption is fine-grained with fragmenting abilities to decrypt individual sensitive data fields based on user roles.

Encryption is generally applied at a broad level when an entire system, database, or physical drive is encrypted. This is not unusual, and is not bad practice, but it’s like storing everything valuable in one safe or vault and relying on a single secure lock. It’s only as secure as that one lock, so if the key gets lost or stolen, then suddenly all your cash and valuables are gone. Even when encryption keys are very strong, their weakness is often human – breaches all too often involve insiders, or bad guys on the outside getting hold of the IDs and passwords of privileged users and key holders. These are obtained via trickery, manipulation, or exploiting carelessness; the causes are many and varied. The reality is that bad guys will keep attacking, keep trying, and searching out these weaknesses and vulnerabilities.

Encryption can also lack versatility, as it changes the appearance and increases the size of the original data. Applications and databases must be able to read specific data type and length in order to accept it so, if data types and lengths are incompatible with systems, they will effectively break.

Using encryption to provide only coarse-grained protection does not provide the risk mitigation to respond to today’s internal and external threats. For these situations, two principals make sense for your business to adopt: (1) Segregation of duties argues that those that can see data should not be able to create access rules, and (2) least privileged access which holds that business users should only see sensitive data needed to perform their job.

Thieves want data like email addresses, names, credit card, bank account, and Social Security numbers. This high value, detailed data is what needs most careful protection so it’s better for organizations to implement fine-grained protection for each item to ensure a name, an address, or an account number is individually protected — lots of locks to protect the data.

You can use locks like encryption, so the output is meaningless code, or you can tokenize, to swap real information for a similar but fake value. The thief thinks it’s a credit card number, because it’s a 16-digit number, with a month/year expiry and a secure code – but this is all fake, cleverly substituted in your database. This means that whatever the nature of a security compromise, the risk to sensitive data is minimized. And when real, authorized users need real data, the tokenized or encrypted values are individually converted, and seamlessly returned for analytics or decision making. Your business can make full use of its data, confident that your customers and your brand are protected.

While some operating systems such as Windows or Linux now provide simpler privilege management for access controls, they are not an ideal overall solution for large, complicated organization structures that span both on-premise and cloud systems. The “all-or-nothing” security of access controls can create numerous problems in day to day operations, including roadblocks to benign data that happens to be stored next to highly sensitive data or granting unnecessary privileges beyond what the user actually needs to do their job.

One solution to this problem is utilizing fine-grained data security via encryption, tokenization, or masking. Applying security to the data itself and controlling access allows for a wider range of authority options. Users without privileges to access sensitive data can still access non-sensitive data to perform job functions, even in files or tables that contain a mixture of both. More flexible options, such as some forms of masking or tokenization, can also provide different levels of security that expose certain parts of sensitive data without revealing it completely, preserving valuable processing and analytic integrity.

These fine-grained data security options require proper privilege management and step one in this process is usually assigning a security-specific role or team in the organization – isolating security policy administration to a security team provides a separation of duties between users and system administrators from security privilege assignments. The security team must develop a comprehensive data security policy, to be centrally managed and administrated across the enterprise and in the cloud, in line with the needs and expectations of the operations of the business, and the roles contained therein.

While access controls remain an integral function in data security and privilege management, organizations need to hone down to the data itself to avoid either inhibiting business processes or opening the door to a data breach. When companies de-identify their data via fine-grained data security, they can:

  • Protect sensitive data across all environments on premises or in the cloud seamlessly without change or modification
  • Enable safe consumption and analytics of data without divulging identities
  • Meet all regulatory requirements governing data protection and privacy
  • Quick deployments via flexible bundles to protect data across all platforms with included services and expertise

Stay tuned for future blogs in which we will present additional cloud security myths and provide facts that will help you keep your most sensitive data secure as you move more of it to the cloud. In the meantime, you can learn more about Protegrity Cloud Solutions here.