A lire sur: http://blogs.computerworld.com/cloud-security/22760/going-cloud-byos-bring-your-own-security
There are many benefits to be gained by using the public cloud. Cost
efficiencies, elasticity and collaborative access are mentioned most
often. But will your data be secure in the cloud? And who is responsible
for keeping it safe? These topics bear further exploration.
For small organizations – typically those that can’t justify adding someone with ‘security’ in their title to the team – outsourcing to a cloud service provider (CSP) may be more secure than trying to build and maintain their own data center. But for larger companies, especially organizations that must comply with privacy regulations like HIPAA/HITECH or PCI DSS, ensuring and validating data privacy can be more challenging in a public cloud environment.
Prying Eyes
One of the big questions you should ask before moving data to a CSP is ‘Do I care if anyone sees this data, and if so, from whom do I want to protect it?’
The Cloud Security Alliance publishes a useful document that offers security guidance for cloud computing. Chapter 5, in particular, offers many good ideas for how to securely migrate to the cloud, as well as ways to secure data until it can be securely decommissioned.
Who bears responsibility?
Perhaps the most important question you must ask is ‘who should be responsible for the security and privacy of my data?’ While nothing exists in a vacuum, my answer to this question is resoundingly ‘YOU!’
As Gartner recently pointed out, most cloud service provider contracts are inadequate. While CSPs have invested extensively on availability and disaster recovery, they often ignore data privacy, integrity and breach remediation in their service level agreements (SLA).
Even if an SLA includes some security commitments, the issue of data access by privileged insiders is still a concern. It’s simply not enough to trust data privacy to your CSP. Google recently announced that it will encrypt stored client data for free – but noted that it will also manage and maintain the encryption keys. From a security perspective, that is a red flag.
Encrypting your data in the cloud is a great idea – but make sure you keep and maintain the encryption keys. This way, if the government comes knocking on the CSP’s door looking for your data, your prospective visitor will have to come to you directly if they want to decrypt it.
What to do?
When you boil it down, there are two key actions you need to take to ensure data privacy in the cloud.
For small organizations – typically those that can’t justify adding someone with ‘security’ in their title to the team – outsourcing to a cloud service provider (CSP) may be more secure than trying to build and maintain their own data center. But for larger companies, especially organizations that must comply with privacy regulations like HIPAA/HITECH or PCI DSS, ensuring and validating data privacy can be more challenging in a public cloud environment.
Prying Eyes
One of the big questions you should ask before moving data to a CSP is ‘Do I care if anyone sees this data, and if so, from whom do I want to protect it?’
Those with malicious intent: Hackers, overzealous
competitors, or even CSP insiders have much to gain in your cloud. Most
cloud infrastructures are highly virtualized, providing a very
concentrated environment that co-mingles data from many different
organizations, which becomes an attractive target.
Those who are unintentionally dumb: Hanlon’s razor
says ‘Never attribute to malice that which is adequately explained by
stupidity.’ Cloud infrastructure is immense and complicated, and
mistakes happen. A simple misconfiguration can leave data exposed.
Those who carry a big stick: As Edward Snowden
recently revealed, the government has also recognized that CSPs are a
rich target for data. CSPs have cooperated fairly extensively with these
requests, usually without notifying the data owner. While most
organizations aren’t hosting data in the cloud that might get them in
trouble, it still seems to be the general consensus we don’t want
unauthorized people poking around our data.
Now the next question becomes, what is the best way to secure data in
the cloud? Clearly, there are different types of ‘cloud.’ Infrastructure
as a Service may need different tools than Software as a Service
applications. Other considerations include what type of data you need to
secure. Is it structured? Unstructured? All of the above?The Cloud Security Alliance publishes a useful document that offers security guidance for cloud computing. Chapter 5, in particular, offers many good ideas for how to securely migrate to the cloud, as well as ways to secure data until it can be securely decommissioned.
Who bears responsibility?
Perhaps the most important question you must ask is ‘who should be responsible for the security and privacy of my data?’ While nothing exists in a vacuum, my answer to this question is resoundingly ‘YOU!’
As Gartner recently pointed out, most cloud service provider contracts are inadequate. While CSPs have invested extensively on availability and disaster recovery, they often ignore data privacy, integrity and breach remediation in their service level agreements (SLA).
Even if an SLA includes some security commitments, the issue of data access by privileged insiders is still a concern. It’s simply not enough to trust data privacy to your CSP. Google recently announced that it will encrypt stored client data for free – but noted that it will also manage and maintain the encryption keys. From a security perspective, that is a red flag.
Encrypting your data in the cloud is a great idea – but make sure you keep and maintain the encryption keys. This way, if the government comes knocking on the CSP’s door looking for your data, your prospective visitor will have to come to you directly if they want to decrypt it.
What to do?
When you boil it down, there are two key actions you need to take to ensure data privacy in the cloud.
-
Read your SLA. Make sure you know what your cloud service provider will commit to securing, and what they won’t. The latest draft of the Payment Card Industry Data Security Standard
that was released for review last week emphasizes exactly this point.
The handoff between you and your CSP is especially critical.
- BYOS. Bring your own security. Even if your service provider offers security capabilities like encryption, don’t just take them at face value. As we’ve recently learned, it is certainly possible for government organizations or hackers to insert technology that can bypass CSP encryption. (See also: Regardless of the NSA, you still need encryption.)
Aucun commentaire:
Enregistrer un commentaire