According to Gartner (News - Alert) and other researchers, Infrastructure as a Service (IaaS) is the fastest growing segment of the public cloud market. There are many reasons: reduced cost, faster scalability, and easier elasticity, to name a few. But before you entrust your data to a cloud service provider (CSP (News - Alert)), there are some key security factors you must consider to ensure your data stays safe in the cloud.
Data Outside Your Firewall
The most obvious difference when you move to a public cloud is that your data is no longer under your direct control. Make sure you clearly understand your service provider’s contract – especially when it comes to security. Many CSP contracts are notably light on security promises. There are many ways to augment what they don’t provide, but you need to know the holes before you can patch them.
Virtualized Environments Need Different Security
While most organizations understand the basic requirements for securing physical servers, it’s important to realize that many security tools and technologies don’t work the same in a virtual server environment. Virtual machines are mobile: your CSP may move them around to optimize performance or availability. Traditional security techniques like whole disk encryption will not work in this dynamic environment. Further, virtual machines include unique files used to maintain snapshot and suspend functions, which can also contain sensitive data. Make sure you or your CSP have a way to secure sensitive or regulated data that might exist in these files.
We are human, and humans make mistakes. As we recently learned from Amazon, a simple misunderstanding of configuration settings can lead to the exposure of BILLIONS of files. Build your cloud security model in layers, so that you have the best protection against breaches, as well as simple mistakes from users or IT staff.
It’s become quite clear that the US government has broad reach into CSP networks. Implementing strong encryption before you send data to a CSP (where you keep the encryption keys) can help prevent access to your data from network administrators, or others with access to the CSP network.
What happens to your data when you want to change your service provider? When you spin up a VM in a public cloud, your CSP will immediately replicate your data for availability and disaster recovery, leaving a trail throughout the network. Today, there are no standards for data eradication, though many CSPs do have policies to reduce the possibility of data access when they repair or recycle disks. Encrypting this data can help ensure that these footprints are unrecognizable in the event that you want to stop service or change providers.
If your organization is regulated by privacy mandates for healthcare or the payment card industry, you have unique obligations when considering IaaS. The Payment Card Industry (PCI (News - Alert)) Standards Council released a supplement to the latest Data Security Standard (DSS), highlighting the vulnerabilities in virtualized environments, and providing some guidance for those seeking the cloud.
Similarly, the most recent HIPAA Omnibus rule significantly expands the scope of compliance to include business associates (like cloud service providers) who provide downstream services to those who handle personally identifiable health data (PHI). Many CSPs are working to achieve HIPAA validation so they can partner more effectively with HIPAA governed organizations, so you may want to do some research if this impacts you.
Even if you use a virtual private cloud at your CSP, it’s likely that you’re sharing physical servers – as well as back end storage -- with other tenants. This reduces compartmentalization, and increases the chances that if someone gets in (or is already inside), they can potentially gain access to your data.
Loss of Visibility
In your datacenter, you most likely have tools for network and event monitoring and analysis that are an important part of your security portfolio. When you transition applications and data to a CSP, you lose some of this visibility, as you no longer ‘own’ the network infrastructure. While innovative CSPs are finding ways to improve this reporting, you need to find other tools to give you comfort that your data is safe, even without the regular reporting feedback to prove it.
Steve Pate is Co-Founder and CTO of HighCloud Security.
Edited by Stefania Viscusi