CLOUD SECURITY MYTH VS. FACT #1: MY PROVIDER PROTECTS MY DATA
If you’re in the process of creating a security strategy for your cloud deployments, then you understand the complexities that exist. The challenges presented by compliance, data governance, and emerging technology can create a conflicting and shifting front, and the security solutions that are built into cloud services may not provide sufficient control, transparency, or security to meet all requirements.
Unfortunately, your cloud provider will probably not tell you how to effectively approach data security. More likely, they will point to the few basic security tools built into their solution and wish you the best of luck. Why? Because they are not responsible for your data.
As a result, best practices for cloud security are not centered on your public or private cloud provider. They are more about people, processes, and technology. In this four-part blog series, we will dispel several cloud security myths and provide facts that will help you implement the right strategy and technology to keep your organization’s data secure in the cloud. Let’s get started.
Myth #1: Security offered by your cloud provider means your data is well-protected.
Fact: Your cloud provider is responsible for securing the cloud infrastructure. You are responsible for securing you data, especially to and from the cloud.
Despite losing direct control of the data, an organization that utilize cloud services is still the data owner, and usually retains the ultimate responsibility to protect the data – not the cloud vendor. This could be discovered too late if an enterprise experiences a breach and loss of data, and only then discover that the agreement with the cloud provider do not hold the provider responsible. This is best illustrated by the shared responsibility model which customers of cloud infrastructure providers (e.g. AWS, Azure) agree to as part of their service agreement.
However, understanding your rights and data ownership is only part of the equation, as your brand will still suffer as a result of the data loss. Here are some other facts to consider:
CLOUD VENDORS HAVE ACCESS TO YOUR DATA
Perhaps the most important point to keep in mind when deciding to move your data to the cloud is that regardless of the security schema employed by the vendor, they will always have access to your data in one way or another.
In cases where the vendor is in charge of protecting your data, they will possess the passwords, encryption keys and whatever else needed to protect your data, and the customer will rely on the vendor to perform all security functions on their behalf. Obviously, this means someone on the vendor side will have access to your data in the clear. In addition, if a government comes knocking on the cloud service provider’s door looking for your data, they do not have to come to you to decrypt it.
CLOUD CUSTOMERS ARE NOT IN DIRECT CONTROL OF THEIR OWN DATA
As data moves into the cloud, the customer transfers control to the cloud service provider. In most cases, customers are essentially “publishing” data to the cloud, giving permission for the provider to copy or move data without notice to unknown locations – sometimes even unknown to the vendor themselves. This can lead to numerous compliance issues, most notably data residency. Meanwhile, the customer can request action on their data, such as protection or deletion, but it is up to the vendor to comply with the request. Data may never actually be removed from all cloud vendor servers, and the customer has no way to verify.
CLOUD CUSTOMERS ARE NOT ALLOWED TO VERIFY VENDOR SECURITY
Cloud providers typically don’t provide access to their physical infrastructure for audits. Instead, they rely on an honor system, and customers are not allowed to directly verify security. The standard practice of “trust but verify” in vendor data security does not apply to cloud data security. Not only does this leave potential for holes in security, but it often directly conflicts with internal data security policies and regulatory compliance requirements.
Is Encryption the Best Security for Data at Risk?
Whenever there’s a major data breach one of the first things everyone asks is, “Was the data encrypted?” This is a very natural question to ask because since the 1970s encryption has evolved in line with computing power and technology to offer relatively strong protection against brute force attacks. If given a choice between having your data protected with encryption or leaving it unprotected entirely, almost everyone would choose encryption. But is it really that simple?
In this four-part blog series, we dispel several cloud security myths and provide facts that will help you implement the right strategy and technology to keep your organization’s data secure in the cloud. In this second installment, we address whether encryption is the all-around best method for protecting sensitive data in the cloud:
Myth #2: Strong encryption is the best security for data.
Fact: Encryption is only effective if well controlled. The best encryption is fine-grained with fragmenting abilities to decrypt individual sensitive data fields based on user roles.
Encryption is generally applied at a broad level when an entire system, database, or physical drive is encrypted. This is not unusual, and is not bad practice, but it’s like storing everything valuable in one safe or vault and relying on a single secure lock. It’s only as secure as that one lock, so if the key gets lost or stolen, then suddenly all your cash and valuables are gone. Even when encryption keys are very strong, their weakness is often human – breaches all too often involve insiders, or bad guys on the outside getting hold of the IDs and passwords of privileged users and key holders. These are obtained via trickery, manipulation, or exploiting carelessness; the causes are many and varied. The reality is that bad guys will keep attacking, keep trying, and searching out these weaknesses and vulnerabilities.
Encryption can also lack versatility, as it changes the appearance and increases the size of the original data. Applications and databases must be able to read specific data type and length in order to accept it so, if data types and lengths are incompatible with systems, they will effectively break.
Using encryption to provide only coarse-grained protection does not provide the risk mitigation to respond to today’s internal and external threats. For these situations, two principals make sense for your business to adopt: (1) Segregation of duties argues that those that can see data should not be able to create access rules, and (2) least privileged access which holds that business users should only see sensitive data needed to perform their job.
Thieves want data like email addresses, names, credit card, bank account, and Social Security numbers. This high value, detailed data is what needs most careful protection so it’s better for organizations to implement fine-grained protection for each item to ensure a name, an address, or an account number is individually protected — lots of locks to protect the data.
You can use locks like encryption, so the output is meaningless code, or you can tokenize, to swap real information for a similar but fake value. The thief thinks it’s a credit card number, because it’s a 16-digit number, with a month/year expiry and a secure code – but this is all fake, cleverly substituted in your database. This means that whatever the nature of a security compromise, the risk to sensitive data is minimized. And when real, authorized users need real data, the tokenized or encrypted values are individually converted, and seamlessly returned for analytics or decision making. Your business can make full use of its data, confident that your customers and your brand are protected.
While some operating systems such as Windows or Linux now provide simpler privilege management for access controls, they are not an ideal overall solution for large, complicated organization structures that span both on-premise and cloud systems. The “all-or-nothing” security of access controls can create numerous problems in day to day operations, including roadblocks to benign data that happens to be stored next to highly sensitive data or granting unnecessary privileges beyond what the user actually needs to do their job.
One solution to this problem is utilizing fine-grained data security via encryption, tokenization, or masking. Applying security to the data itself and controlling access allows for a wider range of authority options. Users without privileges to access sensitive data can still access non-sensitive data to perform job functions, even in files or tables that contain a mixture of both. More flexible options, such as some forms of masking or tokenization, can also provide different levels of security that expose certain parts of sensitive data without revealing it completely, preserving valuable processing and analytic integrity.
These fine-grained data security options require proper privilege management and step one in this process is usually assigning a security-specific role or team in the organization – isolating security policy administration to a security team provides a separation of duties between users and system administrators from security privilege assignments. The security team must develop a comprehensive data security policy, to be centrally managed and administrated across the enterprise and in the cloud, in line with the needs and expectations of the operations of the business, and the roles contained therein.
While access controls remain an integral function in data security and privilege management, organizations need to hone down to the data itself to avoid either inhibiting business processes or opening the door to a data breach. When companies de-identify their data via fine-grained data security, they can:
- Protect sensitive data across all environments on premises or in the cloud seamlessly without change or modification
- Enable safe consumption and analytics of data without divulging identities
- Meet all regulatory requirements governing data protection and privacy
- Quick deployments via flexible bundles to protect data across all platforms with included services and expertise
Stay tuned for future blogs in which we will present additional cloud security myths and provide facts that will help you keep your most sensitive data secure as you move more of it to the cloud. In the meantime, you can learn more about Protegrity Cloud Solutions here.
Myth #3: The best security keeps threat actors from getting in.
It would be nice to think that your systems are secure. Most organizations focus their security strategy on trying to keep anyone from getting into their systems. The reality is that threats are everywhere. They come from inside the perimeter of your own systems in the form of human error and they come from outside the perimeter in the form of hackers and third-party systems. Sensitive data moves across data silos within the enterprise but also across hybrid and multi-clouds. So, good security not only fortifies the entry points, it ensures that a data breach reveals nothing useful. It protects the data itself. Let’s take a look at some recent data breaches to understand why that is so important.
Accidents happen 34% of data lost in 1st half of 2018 through breaches were caused by accidental loss. That means that, “oops”, someone left data exposed and open to breach. In November 2018, The Oklahoma Department of Securities was found to be housing millions of FBI investigation records on an unsecured rsync server for an uncertain amount of time. Data included personal data, systems credentials and internal communication records. This data was simply left unprotected. Despite 8 years of IT Infrastructure consolidation by the OMES agency, ODS had not yet consolidated their systems.
Third-parties increase your risk What about third-parties who have access to your data? Password management company, Blur, announced early this year that they exposed a file with 2.4 million names, password hints and encrypted passwords on an unprotected server. Later in January, another astounding breach was announced. More than 24 million financial and banking documents were exposed for a two-week period on an open server by Ascension, a data analytics company serving the Finance industry. Vital personal information such as names, addresses, dates of birth, Social Security numbers, and financial information were exposed. Ascension converts paper documents into computer readable files (OCR) and the server housing 10 years of documents is the one which was exposed – without a password.
And if your email is outsourced… A common way in to an organization’s data is through email. Just announced last week, Health Alliance Plan lost control of 120,000 patients’ medical information when Wolverine Solutions Group, the third party who manages their email, succumbed to a ransomware attack.
The unwelcome email intruder Email provides so many ways to potentially access your sensitive data. Several 2019 data breaches are due to third-party access to employee email. Approximately 326,000 patients’ data was potentially exposed at UConn Health this way – including names, dates of birth and Social Security numbers.
Hook, line and sinker – phishing Malicious outsiders are responsible for 68% of data breaches and phishing still gets powerful results. 5 major reported incidents already this year, with BenefitMall leading the pack with almost 112k consumers impacted with vital information including name, data of birth, bank account, and Social Security number. Several employees responded to a phishing attack over four months before the hack was discovered.
The invisible breach System breaches can and do go unnoticed. AdventHealth and Marriott International know something about that. AdventHealth’s systems were breached and undetected for 16 months. Marriott’s systems were compromised for four years.
It’s simply not enough anymore to protect your systems. Human error is inevitable. Your employees will make mistakes. Malicious outsiders will continue to find new ways to trick them into opening the door into your systems. Third party vendors you work with may not have the same stringent security solutions you do. And the data you are storing in a third-party cloud is your responsibility to protect.
Isn’t it time you looked at data security differently? Protegrity recommends a Data First Security approach. Our clients feel safer knowing wherever their data goes, it is de-personalized and therefore of no value if and when a data breach occurs. You can find out more about Protegrity’s approach to data security on our blog.
Stay tuned for Blog 4 in our Fact vs Myth Cloud series. We will address Myth # 4: You only need security on your transactional systems. We’ll talk about the importance of data security in your analytical systems and dispel the myth that security will slow down your ability to get insights.