The Ponemon Institute produced its third annual report on global trends in cloud encryption. They worked with encryption solutions provider, Thales e-Security, so you do the math in terms of biases. However, there are some interesting data points that relate to how enterprises manage cloud security.
The report declares that about half the organizations out there are moving confidential data to the cloud. Most importantly, they trust the cloud more than they did a year ago, as the number of cloud-based data systems increases and data breaches don’t seem to be an issue.
Ponemon asked 4,275 businesses and IT managers in multiple countries about the ways they use cloud services and encryption around managing sensitive data. This includes whether or not companies encrypted data in the cloud at all.
When it came to encryption at rest for data, the numbers were lackluster. Only 39 percent of SaaS users and 26 percent of IaaS/PaaS users had data at rest encryption. Moreover, only 44 percent (SaaS)/40 percent (IaaS/PaaS) of those users were encrypting data before sending it to the cloud.
While this is good news in terms of enterprises trusting the cloud, it may be bad news in terms of risk and exposure. While cloud computing can be made secure for enterprise data, you must at least take steps to make it secure. Indeed, the level of security in the cloud is directly dependent upon the amount of security planning that goes into both the architecture and implementation.
Hackers may not be the only group going after your data. A U.S. magistrate judge ruled this month that U.S. cloud vendors must fork over customer data even if that data resides in data centers outside the country, if warrants are provided. In his ruling, U.S. Magistrate Judge James Francis found that big ISPs, Amazon Web Services, Microsoft, and Google, must comply with valid warrants to turn over customer information, even if that material resides in data centers outside the U.S.
This means that, if it’s in a U.S.-based provider’s cloud, there is some risk that your data will fall into the hands of U.S. authorities. In some cases, this could happen without your knowledge. Few would argue with the contention that law enforcement may occasionally need to go after data that resides within cloud providers for legitimate reasons. The problem is that there is likely to be some collateral damage when that happens.
For example, the FBI seizes servers from a cloud provider used to support a criminal operation, and you data share the same cloud server that ends up on the truck heading to the FBI labs. As a result, trade secrets are exposed, or perhaps other information that you would rather not have in the hands of someone who has not signed a confidentiality agreement.
We don’t need to be overly paranoid about data security in the cloud. However, the core problem, as revealed in the survey, is that companies don’t put enough security thinking, planning, and technology around data in the cloud. While nothing is 100 percent secure, enterprises that don’t take steps to secure data in flight and at risk are likely to run into unexpected problems somewhere down the road.
It’s pretty easy to create a sound data security plan for your cloud implementation that will meet the needs of your business. I like to use the tee shirt sizing analogy, or, small, medium, and large.
· Small: Basic encryption at rest for your cloud-based data. While some are concerned about performance, the processing overhead is typically better than you think. This provides some level of assurance that, even if your data is accessed, there will be minimal or no damage.
· Medium: Basic encryption at rest, as well as basic encryption in flight. When moving data to and from cloud-based platforms, it’s typically over the open Internet. This level of security should keep most of the risks low for data breaches.
· Large: Going all the way to provide advanced security. This includes identity-based security solutions that can track data and data usage by data attribute, data user, data grouping, etc., and thus mix and match the security configuration to meet your exact needs. While small and medium plans just lock the doors, large controls access to specific areas of the database in ways that are appropriate for the use cases.
Data security is not new. What’s new is the use of public clouds for enterprise data storage. That said, the basic data security approaches and technologies we’ve leveraged for years are still very much relevant, and have been relocated to the cloud.
I’ve been alive to see many paradigm shifts in the world of IT, but the movement to cloud computing is much more far-reaching and systemic. We need to consider proven best practices, such as data security, and make sure we don’t forget those practices when moving to the cloud. Until best practices are applied on a much broader scale, data security will still be an issue as we migrate our core data to cloud-based platforms. The sad fact is, it does not have to be this way.
Photo courtesy of Shutterstock.