How can cloud providers offer sensitive data protection in a cloud environment? Is there a way to ensure that highly sensitive data, such as Social Security numbers, will be safe in the cloud?
Not all data is suitable to be, or should be, stored in the cloud. Risk assessment and analysis is also required. In my opinion, the stakes are too high for sensitive data to reside in the cloud, even if the data is encrypted. One exception is when a private cloud is being used on a customer's premises.
Security, privacy and compliance become shared contractual responsibility between the cloud provider and the customer, but, ultimately, it is the customer that is liable. Like warranties, a cloud provider's liabilities are limited. It's important to remember that once sensitive data is placed in the cloud, the organization no longer has full control.
Various schematics and techniques can be used to minimize the risk of unauthorized access and sharing, but it is well accepted that 80% of data theft and fraud occur internally -- so why should this be any different in a cloud provider's organization? In reality, it may not be that high, depending upon the customer's deployment and extent of control.
Increasing numbers of cybercriminals will shift their attack target to cloud providers since the payload of sensitive data is huge from multi-organizations. Once a hacker manages to penetrate the parameter of the provider, all organizations become fair game.
To provide security in depth, cloud providers will need to consider and evaluate various security architectures by performing the following:
- Disk encryption versus data encryption
- Vigilant monitoring of their infrastructure and its employees
- Configuration of all systems to delete temporary files and encryption keys upon ending the session
- Careful management and prompt destruction of system snapshots when they are taken by system administrators (these snapshots should also be carefully managed under strict policies and procedures and destroyed as soon as their purpose is fulfilled)
- Provisioning the ability to detect rogue virtual machines
- Ensuring that privacy and compliance requirements of a customer are not breached
- Conducting regular internal and external vulnerability assessment and analysis
- Conducting audits daily, since the network is dynamic
Note: The above tips are not meant to be comprehensive.
This was first published in March 2013