In this tip, the seventh in our series of technical tips on cloud security, we discuss the security of data in the cloud. If and when you decide to use public cloud computing, it's likely that you will also need to store data in the cloud. The multi-tenant nature of the cloud and questions about the physical location of cloud data are security risks that organizations looking at using cloud services need to be aware of. This tip discusses practical methods for keeping your cloud data secure.
Storing data in the cloud is arguably the most important aspect of public cloud resources, but it is rarely treated as such. Two practical steps to take when securing cloud data are:
- Protect your data in a real world environment.
- Meet compliance requirements.
What are the issues?
There are two primary issues that we have to deal with when talking about data security in a public cloud:
- Protection of the data: Dealing with the confidentiality, integrity, and availability (CIA) criteria. Answering the important questions, such as, "What is the risk to the data? Are the controls in place adequate to mitigate the risk?"
- Location of the data: Dealing with the physical location of the "bits" and answering questions like, "Do I know where the data resides? Does this violate any of my compliance requirements?"
Location is often doubly important because we do not think about it; it may easily slip by unnoticed and have significant impact if a data loss ever occurs.
An example is the conflict between the U.S. Patriot Act and Canadian laws on the privacy of certain personal information. The U.S. government says if there is a compelling reason, they are able to see data in their jurisdiction. Canadian laws say that the data of certain Canadian citizens is protected and cannot be disclosed. If you handle Canadian data (i.e., data that is protected), then you had better be sure it is not physically located on systems in the U.S. Note that this is something providers will need to ensure via contracts.
Where to start: Data classification
If you don't take time to understand your data, then you are setting yourself up for failure in a public cloud environment. Therefore, securing data must begin with data classification.
Here are some steps to follow:
- Identify the data that will be processed or stored in the cloud.
- Classify the information in regards to sensitivity towards loss of the CIA criteria. This would include identifying regulatory requirements for the data.
- Define the rules by which particular information classes of instances must be stored, transmitted, archived, transported and destroyed. Many handling requirements result from contractual or regulatory requirements.
A thought on physical location
As stated earlier, if there are restrictions on the physical location of data, you'll need to find a provider that can handle them. Amazon Web Services uses regions, and many of the other cloud providers offer similar structures. However, you need to ensure the service-level agreements meet your locality requirements.
Protecting data in the cloud
In the cloud, your data can be in any of the following locations:
- Local storage of the virtual machine (i.e., processing engine). Data is tied to the virtual machine location and state.
- Persistent data store (i.e., Amazon EBS or S3, Azure SQL, etc.). Data is independent of virtual machine location and state.
- In transit on the wire.
You will also need to use one of the following methods to meet your data protection requirements:
- File system and share access control lists: This would be using the access control mechanisms in the offering to ensure appropriate restrictions on the data. This would be used in all cases, but it would not protect from malicious IT staff at the provider.
- Encryption with a mixture of public and private key solutions: This would most likely be used to protect against malicious IT staff at the provider.
- Transport level encryption: This would be used as a matter of course whenever sensitive information was being passed or transmitted.
I strongly insist that everyone classifies their data. Once that is done, there are a couple of cloud issues you need to think about:
- Is my data stored where is should be?
- If there are any physical location limits, are those met?
- Am I protecting against malicious IT staff?
The rest should be basic security practices, much like those used in your non-cloud environment. There is nothing obscure about securing data in the cloud. Just remember that "good security is good security" and you should be good to go.
ABOUT THE AUTHOR:
Phil Cox is a principal consultant of SystemExperts Corporation, a consulting firm that specializes in system security and management. He is a well-known authority in the areas of system integration and security.
His experience includes Windows, UNIX, and IP-based networks integration, firewall design and implementation and ISO 17799 and PCI compliance. Phil frequently writes and lectures on issues dealing with heterogeneous system integration and compliance with PCI-DSS. He is the lead author of Windows 2000 Security Handbook Second Edition (Osborne McGraw-Hill) and contributing author for Windows NT/2000 Network Security (Macmillan Technical Publishing).
Phil holds a BS in Computer Science from the College of Charleston