A Comprehensive Cloud Strategy for Data Security

Posted on by Robert Moskowitz

As popular as cloud computing has become, and as fast as it continues to grow, it brings with it a whole new set of data security concerns. Without a robust cloud strategy for ensuring security capabilities, cloud computing has little strategic value, particularly since a single data breach can cost an organization far more than it has gained from the advantages of cloud-based data storage.

CloudImportance of Cloud Security

Even without the reality of lost or compromised data, the mere possibility of compromise gives administrators of public, private, and hybrid clouds nightmares. The very nature of cloud computing is in fact problematic, as organizations contract with third-party providers for a variety of cloud services but are frequently reluctant to permit them access to sensitive cloud-based data.

Going to the cloud does nothing to lessen conventional security considerations, such as implementing best security practices and real-time security intelligence, as well as defending against persistent threats and social engineering exploits. When Big Data efforts cross barriers between different clouds, there are concomitant data security risks that must also be addressed.

In addition to all this, the cost savings and agility that cloud computing often provides unfortunately come with a complex portfolio of specialized data security threats and challenges, such as:

  • Multiple user organizations—potentially including competitors—sharing the same infrastructure
  • Issues of data mobility, auditing, and reporting
  • Complex government rules and regulations that create compliance difficulties
  • Few standards regarding disk space recycling and erasures
  • Intrinsic limitations on key security and operational intelligence
  • "Insiders" who legitimately control cloud-based data from outside your organization

In this environment, it's prudent to worry about employees' and contractors' integrity and to evaluate the need to implement extremely stringent internal controls over the private cloud. It also makes sense for Chief Information Security Officers (CISOs) to wonder about the safety of data as it moves between the organization's own systems and the cloud.

In the private cloud, concerns include raw data security, enabling the necessary mix of trust levels, and the blurring of lines between operational responsibilities and data control. In the public cloud, CISOs are also concerned about the ready portability of data, its frequent replication to ease availability, and the access granted to all those connecting with the cloud. In the hybrid cloud, there is the added challenge of protecting data in transit.

Each of the three main cloud service models contains its own security challenges:

  • Software as a Service (SaaS) requires stringent security policies for both identity management and access control.
  • Platform as a Service (PaaS) requires strong authentication services not only to identify users, but also to maintain an audit trail and to support compliance and privacy requirements.
  • Infrastructure as a Service (IaaS) necessarily entails data encryption that mitigates any risk of third-party vendor personnel accessing your sensitive data.

Techniques for Cloud and Data Security

Prior to the advent of cloud computing, network-centric and perimeter security systems were often adequate. Firewalls and intrusion detection systems were sufficient to prevent most data breaches. Monitoring network activity and correlating data access events were also deemed effective ways to help maintain data security.

But in the cloud-based environment, persistent threats, privileged user abuses, and various insidious attacks on data security have become part and parcel of the threat portfolio that must be addressed.

In the cloud-based environment, CISOs must seek to establish a virtual firewall around sensitive data, leveraging automation and big data analytics to continuously monitor security events and data flow. This firewall is geared to sound an early warning of any attack, and—when necessary—render compromised content unusable by outsiders.

It should be noted that encryption alone will not provide data security when there are weaknesses in access control or key management. Encryption works well only when deployed with sophisticated security intelligence that adequately analyzes risks and identifies potential threats.

A layered approach should address compliance requirements, implement best practices, secure sensitive data, and maintain appropriate separation between IT operations and IT security personnel. There are specific steps that must be followed: data must not be easily readable or decryptable by unauthorized users, access must be limited to authorized users with legitimate needs to view the data, and security intelligence should support behavioral analysis to identify users acting unusually.

As cloud computing continues to expand, CISOs will come under increased pressure to maintain a strong cloud strategy for data security. The sooner they begin beefing up their protective measures, the sooner they will be ready to meet and overcome these new challenges.

Robert Moskowitz

, New Mobility Partnerships

Business Perspectives

cloud security data security

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community