Companies that rely on public cloud providers and expect them to keep their data secure may be setting themselves...
up for trouble.
Cloud data security concerns have become less of a reason for not adopting public cloud than it was in 2012, with 32% of respondents citing it as their reason to hold off on adoption versus 36% in 2012, according to TechTarget's 2013 Cloud Pulse survey.
While cloud vendors strive to protect their customers' data because their business and reputation depends on it, it's vital for IT pros to understand exactly what the cloud provider is doing to keep their data and resources safe before signing a hosting agreement, said Christopher Stark, CEO of Cetrom Information Technology Inc., a cloud provider based in Vienna, Va.
The recent revelation that Amazon Simple Storage Service (S3) customers could expose their data simply by setting their accounts to public instead of private highlights just how important it is for IT pros to take responsibility for securing their own data.
Encryption software is a good way to prevent cloud data security issues because once data is sent out to the cloud, organizations essentially relinquish control of it, said Lawrence Pingree, a security analyst at Gartner Inc., a research firm based in Stamford, Conn.
Patrick Meyerdirector of IT, Novati
Novati Technologies Inc., a nanotechnology acceleration center based in Austin, Texas, encrypts its data before sending it to Google Gmail, said Patrick Meyer, director of IT for Novati.
"Any time I go to the cloud, I'm exposing myself to any number of data security threats I can't control, like social engineering attacks or someone I don't know accessing that data, even erronously," Meyer said. "I want to minimize the risk of what happens to my data once it's out of my purview."
Meyer migrated Novati's email system from an on-premises Exchange server to Google Apps last year because it cost significantly less than various Exchange deployment scenarios or Office 365.
Novati had to first secure its data before sending it to the cloud because the company works with U.S. Department of Defense contractors and is required by federal law to comply with ITAR regulations.
Meyer used CipherCloud, which provided Novati with an encryption gateway to send data from its data center to Google's servers. The data encrypted is stored with Google and is essentially useless to anyone without the encryption keys -- including Google -- which are stored on-premises.
"That encryption will protect our data if and when it ends up on an endpoint I have no control over," Meyer said.
IT can also control the human element, such as "not using 'password' or '1-2-3-4' for your actual password," Stark said.
Amazon S3 snafu: What's at stake?
Such measures are necessary because even the most secure public clouds are subject to security flaws.
In the recent Amazon S3 episode, nearly 2,000 buckets on Amazon's S3 were left open to the public when those cloud storage accounts were not set to private.
Some 126 billion files, including car dealership sales records, employee data spreadsheets, unencrypted database backups and videogame source code from a mobile games developer, were available for anyone to access, according to a blog post by Will Vandevanter, a senior security consultant for Rapid7, a vulnerability testing company based in Boston.
AWS sets S3 accounts to private by default, but accounts can be opened to the public manually by admins or as the simple result of misconfiguration. Though the security flaw wasn't a result of AWS's error, Vandevanter wrote, it does indicate many IT pros have embraced the cloud without fully understanding potentialdata security ramifications.
AWS warns customers via email that their files might be publicly accessible due to setting the account to public. Further, it will put other measures in place to proactively identify misconfigured files and buckets moving forward, a spokesperson for the company said.
Hybrid clouds counter security concerns
IT pros need to evaluate the business needs of controlling and securing their data against the potential cost savings of putting critical application infrastructure in the cloud, said Lawrence Garvin, a Microsoft MVP at SolarWinds, an IT software vendor based in Austin, Texas.
Not all data is sensitive enough to warrant encryption, but large organizations could use a hybrid cloud model for application deployment to counter concerns about public cloud security.
For example, the applications' front end would be hosted in a public cloud, but the data storage would remain in an on-premises database with a secured data pipeline connecting the two, he said.
"That provides the line of business [with] more ubiquitous access across multiple devices or locations, while letting IT maintain control of that data," Garvin said. "There are plenty of models for IT so we can deal with data security issues but still provide that flexibility and access users want."
The challenge would then be setting up the necessary network connectivity to support heavy data transfers and creating tight integration between the hosted application and the database, he added.
James Furbush is the news reporter for SearchConsumerization and also contributes coverage on desktop, virtualization and cloud topics.