In deciding whether a cloud service is secure enough for you, you’ll find that you have to decide where you want to be on the scale. On one end is ease-of-access and on the other end is ironclad security. In this post I’ll talk about how security applies to cloud computing, how security in the cloud can help reduce the risk of data leakage, and how to approach a security assessment of your cloud provider.
A sliding scale between Tough Security and Easy Access
Life is riddled with trade-offs. You can raise a family with kids filling the house… or you and your spouse can have privacy. You can enjoy the convenience of fast food quickly and easily… or you can slow down to take the time to have healthful meals. You can have data that’s easy to get to… or you can have data that’s secure.
Picture this: the only truly secure computer is one that’s unplugged from the network, turned off, encased in concrete, and fired into the sun. Now, that’s a secure computer! The problem is, it’s so secure that it’s not useful. If you can’t get to your data, how is all that security worthwhile?
Somewhere between “It’s easy to get to” and “It’s secure” is where you want to be.
Here’s another scenario: you have stuff in your life. Some of it winds up in your kitchen “junk” drawer. Some of it winds up in a fire-proof lock box in the basement. Some of it actually goes in a safety-deposit box at the local bank. Right? You have different security needs for different types of stuff.
So different items have differing levels of concern when it comes to security; it’s not an all-or-nothing toggle, it’s a scalewith ease-of-access on one end and highly-secure on the other. The same is true for cloud security: a pizzaria typically has less worry about data leakage than a CPA would.
Where the Cloud is MORE Secure than Local Data
One of the most obvious threats to leaking your data is simple carelessness — for example, some 10% of all new laptops are lost or stolen in its first year, and most of those contain unencrypted corporate data. Yikes! Regardless of how secure your cloud is, a misplaced laptop with sensitive data on it can cause you mountains of trouble.
Think about it — in order for your data to be useful to you, it must be accessible by you (and your team). The easiest access is for you to have that data on your own laptop, carrying it around with you. But! If “black hats” gain control of that, you’re in trouble! Fortunately, cloud computing can help alleviate that particular problem. If you can have “the cloud” store all your sensitive information instead of storing it on your laptop then your computer, or any device anywhere, is just a portal enabling you to get to your data. In this case, losing your laptop will only be a big problem if you get lazy and have your web browser remember your passwords… Otherwise whoever winds up with your computer will only have a generic laptop, without any sensitive proprietary information on it. Neat!
So if your cloud-service makes your data accessible to you and your team in a way that’s not just easy but dependable, then you (and others on your team) will be less tempted to store the data locally, which reduces the likelihood that a lost or stolen laptop — or any unattended keyboard on an office PC — will lead to security issues! Additionally, consider that cloud providers like Google or Dropbox will likely have folks on staff who know a lot more about security best practices and threats and technologies than your local IT team will. That won’t resolve all your problems, but having resources like they do is a strong asset! In most other areas, cloud security is no different from traditional data security. Don’t publicize passwords and usernames, use encrypted connections (e.g. https instead of plain http), use secure software, avoid sending sensitive information in an email…
Areas of Security Concerns
The “threats” listed below are taken from the Cloud Security Alliance’s “Top Threats” whitepaper. They cover the main areas where security weaknesses can cause trouble:
- Abuse and Nefarious Use of Cloud Computing — where the bad guys use online resources to hammer away at your stuff until they break in
- Insecure Application Programming Interfaces — where bugs (or just plain oversights) in programming code can lead to “holes”
- Malicious Insiders — where a disgruntled or spiteful team member can intentionally cause damage
- Shared Technology Vulnerabilities — where “black hats” leverage flaws in the multi-tenant architecture (such as the rare occurance of a form from one website involving credit card info being visible to another site hosted on the same server)
- Data Loss/Leakage — where confidential or trade-secret info is publicized, likely causing legal and economic issues
- Account, Service & Traffic Hijacking — where typically stolen credentials are used to co-opt various identities to destroy brand identity or cause other damage
- Unknown Risk Profile — where the service provider’s adherence to security practices and standards is unknown
That last one is interesting, because regardless of the service provider’s ability to keep your stuff secure, the main responsibility for your data lies with you, and if you pick the wrong host, you could suffer nasty consequences. So how do you pick the right host?
Evaluating Cloud Providers
Right now there are many different standards that cloud providers might (or might not) adhere to. The two big ones are SAS 70 and ISO 27001.
- SAS 70: developed by the the American Institute of Certified Public Accountants (AICPA) as guidance to enable an independent auditor (“service auditor”) to issue an opinion on a service organization’s description of controls through a Service Auditor’s Report
- ISO 27001: provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System (ISMS)
- For a synopsis of these and other similar standards, try Data Center Map’s article.
Still, even with ISO27001 and SAS70, it’s difficult to determine if a prospective cloud-service provider is going to handle your data to your specifications!
CSA Security Trust and Assurance Registry (STAR)
The Cloud Security Alliance is looking to standardize the process using its Cloud Controls Matrix which details many levels of security concerns at fine granularity. As service providers fill out the matrix, consumers can then evaluate the security more exactly. To see examples of what these responses contain, have a look at the STAR Preview. The CSA’s STAR library isn’t well populated yet (late 2011) but it promises to be very informative in the near future.