According to research firm Gartner, spending on cloud computing will grow 18.5 percent to $130.7 billion this year. The breakdown of cloud and security services compound annual growth rate (CAGR) Gartner predicts is as follows:
- SaaS: 19.5 percent
- PaaS: 27.5 percent
- IaaS: 41.3 percent
- Security services: 22 percent
In many organizations, privacy and security worries will drive the adoption of cloud encryption systems. This means both IT professionals and graduates of information security ms online as well as traditional programs must be familiar with data encryption in the virtual environment. These professionals and graduates should also follow six steps to ensure data security in the cloud.
Develop Plans for Data Breaches and Access Requests
Not all data requires the same level of protection, so companies need to categorize data they plan to store virtually. For each category, companies should identify data breach compliance requirements. They should also create rules for whether data can be stored in multiple places.
An enterprise data security plan will spell out business processes for dealing with law enforcement requests for data. All stakeholders, including legal, business, IT, contract and security should know their roles in the plan.
Understand How Your Provider Both Stores Data and Sunsets Data
Several concerns about storage include how the cloud service provider (CSP) puts up barriers between multiple cloud tenants, how the CSP uses methods to keep data from being replicated to certain countries or regions, whether storage used for backup or archives is encrypted and the CSP’s policies for both identity and access management. When data reaches the end of its useful life, the CSP should encrypt the data and delete the keys. In essence, this virtually shreds data and keeps keys from being replicated or compromised.
Keep Data Secure While It’s in Motion
Gartner suggests that at a minimum, CSPs should enable SSL/TLS protocols for browser access and VPN-based connections for system access to data. While most enterprises encrypt data while it travels, many do not keep it encrypted while it’s in storage. Therefore, companies have to make sure unencrypted stored data is protected from breaches. Also, IaaS providers should provide network separation among tenants so tenants can’t see one another’s data.
Manage Encryption Keys
In a best-case scenario, enterprises manage their encryption keys. However, if the CSP manages keys, then the provider must ensure access management controls enable breach notification and follow data residency policies. They should also ensure key management systems are hardware-based, and policies and procedures are tightly managed. As an additional precaution, CSPs should exercise caution when providing screenshots from the data center. Memory contents can be analyzed in an attempt to gain keys.
Implement Tight Access Controls
Gartner recommends a number of access controls, including:
- IP subnet access restriction policies. This allows enterprises to restrict end-user access from a known range of IP addresses and devices.
- Two-factor authentication.
- Management of access permissions.
- Separation of administrative duties such as maintenance, security and network management at the data center.
- Logs of all access to cloud resources. The logs should be able to integrate with the company’s on-premises log management, security information or event management systems.
- Restricted access to sensitive management tools by CSP. This includes backup and recovery tools, data migration tools and live workload snapshot tools.
- Secure management for all images snapped by data migration or snapshotting tools.
Know How Encryption Affects Applications and Database Functions
Businesses need to know how encryption affects functions like searching, indexing and sorting. Advanced searching functions including substring matching functions and wildcarding functions (“ends with” or “contains”) should be of particular interest. Also, if the CSP offers encryption that preserves these functions, certain regulations may apply. For example, standardized and approved algorithms or proof of independent certification may be necessary.
Because of cloud security concerns, only one out of five companies use external cloud services for critical functions. Something to remember is while CSPs see attacks mounted against clients in their infrastructures, but they also use the data from these attacks as learning tools for protecting other clients. External cloud infrastructure can provide valuable cost-cutting and scaling services for businesses, as long as businesses ensure CSPs follow tight procedures for data encryption.
About the Author: Tim Hartman provides data-security consulting services for public and private sector organizations.