I wanted to discuss a newly-published book, Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance. But the book has too much valuable content to do it justice in a 500-word blog post, so I will focus today on a single chapter: Data Security and Storage.
First, props to the authors (Tim Mather, Subra Kumaraswarmy, and Shahed Latif) who have written a thoughtful, in-depth book on a topic that's often subject to hype and relatively unsatisfying sound bites. The authors aren't working an agenda, and they aren't promoting cloud services. Nor do they provide easy answers. But they do offer insights as to what the critical issues are, what questions to ask your cloud service provider (CSP) to truly assess relevant risk factors, and what strategies might be considered when your security and privacy requirements exceed the service levels provided by current cloud services.
In my discussions with customers, the biggest concerns I hear relative to public cloud services are on the subject of data security, especially data privacy and data remanence.The authors discuss aspects of data security related to data in transit and data at rest, including multitenancy issues. Here's a partial checklist: You should know whether your CSP uses vetted encryption algorithms, and whether the protocols employed ensure data integrity as well as data confidentiality. You should be aware that even when data at rest is encrypted, it can't be operated on by the application without being unencrypted -- in such a case you'll want to know whether memory, caches and temporary storage are wiped afterward (the answer is almost certainly "no", or, more likely, such questions won't be answered by the CSP). The same set of questions (and answers) apply to the issue of data migration and to processes by which failed or obsolete storage devices are decommissioned.
The key point in this chapter is with regard to data security mitigation. How can you compensate when CSP data security capabilities are inadequate to your needs? The authors' answer: Don't put sensitive data in a public cloud, other than for simple cloud storage services where your data is (and always remains) encrypted. I couldn't agree more, although I would add that this is an area that CSPs are aware of and working on, and I predict that in the near future (2-3 years) public cloud data security will have improved substantially.
A prerequisite to evaluating whether public CSPs' security is adequate to your needs is to classify your data. Only by doing so can an organization make informed judgments as to whether the cloud security is "good enough". The organization's policy should be to limit cloud-based applications to only those that operate on low- or moderate-risk data, such as CRM and internal log data. Higher-risk data sets may be stored in the public cloud only if they have been "sanitized" (i.e. sensitive data removed or anonymized).
No comments:
Post a Comment