(Just Like) Starting Over

The mention of cloud services no longer strikes fear in the hearts of security practitioners like it did a decade ago. While some security folks are still wary of providers’ claims, few can doubt that many of the larger, more prevalent cloud providers offer as good or better security than some enterprise security teams.

Because cloud providers have to manage security at scale (which is funded by its customers), more money can be thrown at the problem than a standalone company with, perhaps, only a limited budget, under-staffed and over-worked team, and/or antiquated infrastructure.

Nonetheless, dealing with data in a digital environment presents risk. Internet-connected environments are vulnerable—regardless of provider and protector prowess—and access control and authorization will continue to be the weakest links for as long as humans are involved. At Cloud Security World 2016, Vice President of Technology Risk at T&M Protection Services, Paul Lewis, presented a session on “Cyber Crime in the Cloud,” explaining why brighter days are just ahead. The “7 Cloud Security Risks” explained by Lewis are:

  1. Your cloud provider can be hacked
  2. Your cloud provider may soon disappear…along with your data
  3. Third parties and their third parties may have access to your data
  4. Provider-driven espionage (a.k.a., “big data analytics”)
  5. Cloud providers can be a single point of failure
  6. Your cloud provider may be subpoenaed for your data…and you may not be forewarned or able to stop it
  7. Your data at rest may be in an unknown jurisdiction that has varied/differing/loose laws and regulations

We have grown, we have grown

After focusing for a few moments on doom and gloom, Lewis turned the tide and explained how organizations can eliminate these risks…provided the approach to and strategy for cloud storage is re-imagined.

Your cloud provider can be hacked

Yep, that’s true! Any provider or computer can be hacked. To lessen the likelihood and make sure your data isn’t lost or stolen wholesale, re-think how your data is stored in the cloud. File segmentation and encryption are the two most basic things a company can do before shipping its data off to a provider. While we’re on the subject, use a redundant array of cloud providers to ensure everything isn’t lost in one hack.

Your cloud provider may soon disappear…along with your data

This may be true of some of the smaller, niche players, but the large providers aren’t going anywhere. And many of the small providers, if they’re good at their game, will be gobbled up by larger companies, which means that your data isn’t dust in the wind. To be safe, though, focus on expanding your partner network. Too many backups can be a burden and cause unnecessary risk, but have at least one backup for all sensitive data. Especially the sensitive data—that which if lost cripples the business. These backups and diversity of cloud providers will also eliminate the fear of:

A single point of failure

In the past, not many viable, secure options existed for cloud storage. Today there are literally thousands of options. Are all of them super secure? Of course not! Ask around industry associations (ISACs) or check into Cloud Access Security Brokers (CASB) who can help with risk ratings on providers, negotiating agreements, and even auto-encrypting data for you. If your provider is hacked or if there is a disaster which renders data unavailable, knowing that your data is distributed among a few trusted providers will allow your business to continue running at full steam ahead.

Third parties and their third parties may have access to your data

The downstream effect of a cloud-connected universe is vast. And scary. To make sure your data isn’t going into the ether unprotected, go back to encryptions and file segmentation. An insecure third party may have access to one of your third parties, but if your data is properly encrypted in the first place, if stolen, the problem becomes a non-problem. OK, sure if the attacker of one of your third parties gets his/her hands on your encrypted data in a mass breach and specifically finds your file and takes the time to unencrypt it, you’re screwed. But, really, aren’t we in the business of managing risk? An adversary coming straight after your company’s encrypted file when it has dozens, hundreds, or even thousands doesn’t seem very likely in the grand scheme of things.

Provider-driven espionage (a.k.a., “big data analytics”)

One of the giant benefits of being a cloud provider is that the provider gets loads of lush data that can be analyzed and used for all kinds of targeting, like marketing and selling or developing new products and services. This is the business on which Google is built. Cloud providers are getting better at using data provided to them, so, again, if you want to ensure your provider can’t use your data against you, encrypt it and don’t throw all your proverbial eggs in one provider basket. Then come to terms with the fact that data is money.

Your cloud provider may be subpoenaed for your data…and you may not be forewarned or able to stop it

This is one that makes enterprise security practitioners squirm. It also makes (the good) technology companies fly to Washington, D.C. and fight with Congress, then go back home and create technologies and devices that leave readability of the data in the hands of the data owner, rendering it inaccessible to the provider…and/or the courts without a subpoena served to the data owner. Courts will always be allowed to serve warrants when probable cause is established. Make sure the warrant must be served to you, not your provider, for access.

Your data at rest may be in an unknown jurisdiction that has varied/differing/loose laws and regulations

This one is a tougher nut to crack. Unless you have specifically negotiated then contracted for specific hosting locations, without any alterations, throughout the terms of your contract, the provider may route your data to a new data center or storage location without your consent or knowledge. Providers don’t, generally, re-route data just to mix it up or make customers upset; they have legitimate reasons, such as a new data center was built and has increased capacity, or a disaster occurred in one location and the fail-over is in a different jurisdiction. Still, just about the only thing you can do is make sure the provider alerts your organization, in writing, any time a change becomes necessary. Some jurisdictions outside the U.S. have stricter rules and laws than the U.S.; some basically give carte blanche to the government for surveillance. Either way, get it in writing. Put it in your contract. And for goodness sake, keep segmenting, encrypting, and divvying up your data!

It’s been so long since we took the time

Lewis said during his talk that “zero risk cloud storage” can be achieved by re-thinking the security basics. He also said that companies must forget about protecting the perimeter (because, where is it!?) and change the definition of privacy. In this new era of cloud-everywhere, warned Lewis, stop and ask yourself:

Q: Where is my data? A: Everywhere!

Q: Who sees it? A: Everyone!

Q: Is data really private anymore? A: Nope.

Q: Am I exposed to cloud cybercrime? A: Maybe, but there are things you can do to decrease your digital footprint.

Data owners bear responsibility for data when handing it over to cloud providers, as they do when it’s kept on-premises. The responsibility becomes shared when data is stored in a cloud. To illustrate, if you drive to a public lot then leave your wallet on the front seat and your doors unlocked after you walk away, the police and your insurance provider won’t rush to your defense. Now imagine that the wallet belonged to your spouse or friend. You’re in pretty big trouble.

So even if you walk away, don’t lock your doors, and keep your windows open, if hide your wallet and keep your money in different places—mainly in locations separate from the car—you won’t be flat out broke. Use this approach when dealing with your cloud providers and you’ll be more secure today than you were yesterday.