In order to take into account these different requirements, security managers and CISO’s are advising that organisations segregate their data sets, minimise the volume of any one high target asset and create secure, encrypted tenants around users to the greatest level of granularity as possible. Global organizations, such as private equity firm The Carlyle Group, have been working with CTERA to adopt best practices to ensure security is approached correctly. The firm has worked to encrypt each of its offices with a unique key and explains its approach in a video here.
It’s clear that cloud services have become a critical and fundamental part of organisations’ IT armoury. The technologies are now mainstream as has been highlighted by recent research from Verizon which found that 94 percent of companies expect more than a quarter of their workloads to be in the cloud within two years and this trend will continue to accelerate as IT organisations focus on their core competencies and outsource infrastructure and software.
However, any new approach brings with a series of challenges and cloud is no different. Security is an enormous challenge and we are seeing a series of high profile cases that relate to security working through administrations right now. Some examples and their relevance to security are listed below:
Encryption: As the now-famous FBI vs. Apple case is provoking a global debate around the challenges of end-to-end security – both good and bad – it is a good lesson in source-based encryption. The case highlighted how user-generated security keys can create significant barriers to data access while simultaneously launching one of the most public government-sponsored hacking campaigns of all time.
Data ownership: In the above case, Apple completely complied with the government’s request for any of the San Bernadino shooter’s data that was managed by its iCloud SaaS service – and it could do so because it also owned the customer’s data. Similar cases have surfaced all around the world, where national interests are not as aligned, such as Microsoft vs. the US Government. What is becoming increasingly clear is that unless you’re the service and data owner, a third party SaaS provider can be leaned upon in ways you may not have prepared for and ways you’re less able to protect yourself from.
Threat radius: Aggregating the information of or about many organisations within one system has always been a critical shortcoming of public and private cloud IT systems. There is a direct, linear correlation between the amount of users of a public cloud SaaS service and its appeal to hackers – where the largest services can often deliver the best data payload to hackers. Over the last two years there have been countless examples of high-value hacking events from the US Office of Personnel Management, to Target, Sony and more.
These examples may not appear to apply to all organisations but as cloud and xaaS utilisation increases to near complete enterprise saturation, security challenges must be addressed. It is critically important that approaches to security take into account the different requirements of the different service and infrastructure requirements.
The technologies are mature and, with Amazon Web Services now celebrating a decade of business, it’s important to reflect on what the market has learned about security and what enterprises must consider while beginning their journey to the cloud. Cloud services have proved to be so attractive that enterprises are moving to cloud models of IT consumption and delivery in ever-greater numbers.
With cloud now fundamental to business, it’s critical that organisations keep security front of mind. Here are three tips to help maintain security in the cloud:
- Own your keys, and generate your keys. Third party encryption key generation is an additional level of vulnerability that isn’t appropriate for today’s secure organisations.
- Make your cloud private. Virtual private cloud (VPCs) have achieved the same level of security as private data centres have always been able to deliver. For this reason, organisations can now go all-in on their cloud agenda without compromising on application or data security.
- Compartmentalise your users, divisions and data to minimise the threat radius of any security compromise. Scalable systems that create unique encryption keys and data isolation around cloud tenants can ensure that in the event of any breach, the breach is contained to that user, application or segmented data set.
By taking on board these tips, you can avoid issues that are being uncovered in high profile cases and address the cloud security challenge.