Cloud security myths

Evelyn de Souza, data privacy leader at Cisco Systems, and Andrew Hay, CISO of DataGravity, have presented a preview of the combined knowledge they shared at MISTI’s Cloud Security World. Cloud security, depending on how you look at it, can either be considered “just another part” of information security, or it can be viewed as its own area of focus which requires distinct policies and protections.

Media headlines abound: No More Excuses – Time to Get a Grip On Your Cloud Security and Why You Need a Multi-Layered Approach to Cloud Security, suggest that while cloud storage is ubiquitous, it’s not without its challenges. What are those challenges, though? Hay and de Souza shared that, even in and amongst the security profession, confusion is common.

At a high level, the speakers reviewed their version of the Top 5 Lies about Cloud Security during a joint webinar. Needless to say, there are more lies (or myths or misconceptions) where cloud is concerned. Below, we recap the top doozies according to de Souza and Hay.

1. Data stored in the cloud is safe!

When buying or leasing a new car, most consumers first check safety ratings; they research third-party test results or look at Consumer Reports. The dealerships, themselves, even list safety ratings right on the sticker. Safety is a big part of the car buying experience because it’s important, and people know to look for it.

With cloud service providers (CSPs), though, it seems that many customers inherently trust. When the security team is involved in the buying decision (which could be only a fraction of the time), there may be an effort to “look under the hood” and see what technical security controls are in place. As part of that evaluation, even when the security team discovers robust controls in the offering, don’t forget that 1) the consumer—i.e., data owner—must verify that this is the case, and 2) the data doesn’t belong to the cloud service provider! If a breach occurs and the law or the consumer’s customers come a’knockin’, he who put the data in the cloud is the responsible party.

Let’s say you’re the “C” in the B to B to C (cloud provider to retailer to consumer) equation and your credit card data is stolen because you shopped at Hats ‘R Us. The aforementioned milliner stored its client data (including yours) in the cloud. Who are you, the card holder, going to hold responsible? Hats ‘R Us, right? Most of you reading this are more likely the second “B,” which means that you are going to be on the other end of the pointed finger when an incident occurs. As such, your organization should not only perform due diligence by thoroughly vetting the cloud provider, but your organization must implement its own technical controls for data security.

Hay and de Souza warned that most security professionals automatically default to data encryption as the one solution for owner-supplied control, but that’s only one piece. Use your SLA to ensure the provider allows for file integrity monitoring (FIM) and data tagging for logical data separation within the cloud environment. Another important element is scrutinizing what data you’re comfortable putting in the cloud in the first place.

At some level, trust must be established between CSP and customer, but make sure your trust isn’t given blindly. Research your provider and do your own part to ensure you’re not leaving data hanging out unsecured before it goes anywhere.

2. If your cloud provider is compliant, so are you!

This misbelief is patently not true. When it comes to compliance, the provider is essentially certifying that the “box,” which is the software or platform or infrastructure, meets compliance requirements, not that the data, itself, is compliant. (Regardless of compliance, the data owner has to certify the security of its data.) Compliance is a sign of the investment a provider is putting into its security posture, but compliance does not equal security. Uninformed consumers often assume the provider is safe based on certifications (especially when it’s the business rather than the security team evaluating the provider), but just because compliance has been met, that doesn’t mean your data is either compliant or secure. Compliance may be very important in the event of a breach, but just because the provider is, the data owner’s data may not be. Read the fine print.

Another “gotcha” de Souza and Hay highlighted is that just because a provider has been certified, it doesn’t mean they’ve continued their certifications. Ask your provider the right questions; dig a little deeper and find out when they were last certified and learn what that means to your data. Because the business could be caught out by the promise of reclaimed dollar signs and access-anywhere, it’s up to technical teams to keep the business in check and make sure the organization understands the implications of provider compliance.

3. Cloud consumers must relinquish full control to the cloud provider!

This lie is similar to lie #1. Many consumers think that when they turn data over to the CSP, the CSP is going to secure it to according to the consumer’s (often not communicated) security requirements and that the CSP, alone, can put the best, most hardened controls in place. Going back to point #1, when your organization puts your customers’ data in the cloud, if something happens to that data, your customers are going to look at you as the loser, not the cloud provider (about whom they probably aren’t aware anyway).

Don’t be thrown under the bus by assurances from your CSP. (Remember: “CSP” means “cloud service provider,” not “cloud security provider.”) They may be doing the right things, but check then double check. Institute a thorough vetting process and revisit it from time to time. On a three year contract? Think of it like changing the batteries in your smoke alarm: use your contract anniversary to start fresh!

In addition, when entering into a contract in the first place, adopt a shared responsibility model whenever possible. Bake security—for which both your organization and the CSP are responsible—into the agreement so that there is no delusion about control. Many providers today are willing to build shared responsibility into the design. Check it out! If the CSP you’re evaluating doesn’t offer a shared model, maybe someone else fits the bill.

4. Moving to cloud saves you money!

A CFO looking at the price per compute hour might find a surface level of great savings. However, cautioned Hay, most businesses don’t have the ability spin tools up and down when needed (which is why the business is looking to cloud providers in the first place). The result is that your organization could end up paying more monthly than if it kept its data on premise.

Hay suggested that companies use orchestration tools to measure when cloud instances should and should not be running to determine where cost savings really apply. The calculation isn’t always based solely on computing hour; data storage and other fees might come into play and could sneak up unless you’re looking at the entire picture.

De Souza also addressed the potential of added costs when the cloud provider suffers a breach. Organizations that have faced an incident in their own data center understand that hard costs are difficult to quantify. In the case of a data breach of the CSP’s environment, it’s yet more complicated. If you’re the data owner, the data is your responsibility, but the data is living in someone else’s house; who cleans it up? Who is responsible for forensics? Who maintains the backups? How readily accessible are they? Do additional tools need to be implemented, and who implements and pays for them?

Cloud forensics and incident response are relatively new and pose a number of arduous issues in which most organizations—even experienced enterprise security professionals—are well versed. Work with the business to consider the business objectives of moving your data to the cloud, then think about what works for the company. If the business case is “We’ll save oodles of money!” you might want to warn execs that this could be ephemeral ROI.

5. Your data in the cloud is always safely and securely deleted or erased!

You are putting a ton of trust in your cloud provider when assuming that they are erasing and deleting your data in a safe and secure manner. But you, the consumer, don’t actually have visibility into whether the CSP is doing it correctly; you can’t actually see if they are overwriting your data with 1s and 0s or if the provider is scrubbing their machines when your contract ends or you have to cancel your agreement.  

Removal of data boils down to the certification and contract process. (Before you enter into a contract, if possible) Ask the CSP to prove (under NDA) the data handling and destruction process. Some providers will detail their process, others might consider that too much tasting of the secret sauce. In the end, if your company enters into an agreement with a specific provider who won’t lift the velvet curtain but has proven a-OK in all other respects, you might just have to trust them. But at least ask!

When dealing with very sensitive data—if that data is encrypted, keys are logically separated, and access to the data is highly restricted—you have a backup safeguard and can likely ensure data resiliency on your own. If the provider doesn’t have a thorough deletion/erasure process and a breach affecting your data occurs, even if you have backups or after your contract has ended, your data is still your data. It’s still in the hands of criminals.

What’s the rub?

De Souza and Hay would shout it from the rooftops: Stop listening to lies and ask a lot of questions of your cloud service providers! The provider market is changing, and many providers understand the challenges of today’s security requirements. For the most part, the lies are not coming from the product side, and many of the better providers are willing to work with potential customers. If you can’t get the answers you need, many respectable providers exist. A long list of choices is available.

The take away is that using cloud does not abdicate the consumer’s responsibility. Nor does it mean that the consumer is powerless to influence or assist security efforts. Don’t be a downer! There are things that you, the security practitioner can do. Just start tuning out the noise and get to work…because cloud is here to stay!