Security and compliance pragmatism: How to get both in Cloud Storage environments

We know that cloud computing has the potential to make businesses more responsive than ever – imparting the economic advantages that added speed, agility and flexibility bring with them. However, security remains a major stumbling block for many. Recent research carried out by Ovum revealed that, though 80 percent of enterprises globally are already using cloud environments, only 54 percent reported using them to store sensitive information.

This figure is unsurprising given today’s IT organisations remain caught in an unending cycle of rapid, substantive change. With data volumes multiplying at an exponential rate, the proliferation of bring-your-own-device initiatives and the ubiquity of mobile applications, IT teams are under considerable pressure to support even more user-devices and infrastructure than ever before. By further adding cloud to the mix of remote, externally distributed environments and servers – whether IaaS, PaaS, SaaS models, or a combination thereof – further complicates the already daunting task of data security.

It is within this context that the simple reality can be made clear: sensitive data will show up in more locations and be exposed to more threats unless the appropriate data protection measures are put in place. Interestingly, the report found that 89 percent of executives felt their organisations were at risk from insider attacks that come from ordinary employees, privileged users, contractors and services providers as well as the compromise of these accounts by sophisticated and elusive cyber-hackers. Another important issue to consider here is that, for many organisations, the need to strengthen security and mitigate the risk of breaches and threats is being intensified by regulatory and privacy mandates. Given disclosure rules, many mandates can contribute to dramatically escalating brand damage when sensitive data is compromised.

To contend with these myriad realities, organisations must expand their safeguards across larger data sets and more environments. This is particularly true of cloud implementations, which represent an increasingly large and strategic portion of the IT computing landscape and a critical area of vulnerability if the appropriate defences are not employed. Today, many corporate users and business groups have adopted cloud storage offerings like Box and Amazon S3, proven to help businesses enhance collaboration, flexibility, cost efficiency, and data availability – but the adoption is most often without internal IT security authorisation or oversight. Given this ad-hoc usage, one thing that IT decision makers are sure about is that is that sensitive data is used there and at risk, with 68 percent of UK companies reporting that they were very or extremely concerned. As a result of this sensitive data use, it is increasingly vital that organisations employ strong safeguards in these environments. This isn’t a requirement that IT leadership can ignore. It is important to recognise that this move to cloud storage has happened and will happen with or without the involvement of IT. If there isn’t a company-sanctioned cloud storage service, employees will use their own – and in the process create a new set of risks for enterprise data.

However, while the need for strong security in cloud storage environments is critical, addressing this requirement can present security and compliance teams with a number of specific challenges. The first, is that of limited visibility and control. Given the multi-tenant, externally hosted nature of these cloud services, security teams and the auditors they work with fundamentally lack visibility into the nature of security mechanisms in place, making it difficult to track and demonstrate compliance. In addition, sensitive files may be copied, downloaded, and uploaded by employees without any controls or logging of these activities. In the event of a breach, security teams may lack the intelligence they need to do proper forensics.
The second core risk is that of privileged user exposure. In cloud storage environments, ‘privileged users’ like cloud administrators, root users and other network system admins within the cloud service provider (CSP) organisation often have broad, powerful access rights by nature of their job and, thus, may be able to access or manipulate sensitive client data without the data owner’s knowledge. Further complicating concerns around theses users is that they are often a prime target for perpetrators of Advanced Persistent Threats (APTs) or other forms of malware designed to compromise (and then use for themselves) the access rights of these users. Unfortunately, these sophisticated hackers are adept at using the credentials of these powerful administrators and can create and delete multiple accounts, and even modify security event logs, doing so undetected. Fortunately, the Ovum research confirms that privileged user abuse at the cloud provider level has edged into top place as one of the key worries shared by businesses globally (67 percent) when considering cloud data security.
A third specific challenge to address in this space is that of vulnerability to government subpoenas. News reports have made it clear that government agencies are increasingly using subpoenas of service providers, including cloud providers, to further criminal investigations. For organisations storing their data in the cloud, this can mean that corporate data may be handed over to agencies, potentially without executives ever knowing, let alone providing their consent. Indeed it’s worthwhile mentioning here that in Europe an increasing number of enterprises and their governments are unwilling to put their data in the hands of US-based CSPs. This anxiety has manifested itself on the policy level; for example, many data-and-privacy-focused countries like Germany and Spain have tightened up their data residency requirements even further, requiring that personal information never leave a person’s home jurisdiction without explicit consent.

In light of the above, businesses must make strategic choices when it comes to security solutions. In recent years, data-at-rest encryption has emerged as an increasingly fundamental requirement and this is particularly true for cloud storage environments. By encrypting sensitive assets before they are saved to cloud storage environments – using a transparent storage-specific solution – security teams can begin to establish the controls needed to guard against unauthorised access to sensitive files. It’s useful to remember that encryption can, in turn, help establish the visibility that IT teams need to track and demonstrate compliance with security policies and regulatory mandates. Furthermore, by keeping localised control over keys, security teams can enforce policies tailored to the specific needs of individual users and track data access even as sensitive data is saved and distributed in cloud storage environments. In doing so, the risk of a breach ‘from within’ is minimised. Also, by retaining cryptographic keys on premise, keys will never be made accessible to the cloud provider – thus eliminating the risk of abuse from this specific source. Storing keys in a certified hardware appliance for additional security is also an option here for concerned businesses.

In the past, enterprises and organisations have lacked these controls in cloud storage environments, and have therefore been forced to limit their adoption of cloud services, or hold off on migrating to cloud environments altogether for fear of the security and compliance risks. But, this approach has almost universally failed, with users and business units adopting solutions without IT consent or security oversight. With solutions available that apply encryption and access controls via an IT sponsored solution, organisations can now safely offer users and business units the access to cloud storage environments that they want and need.