Figuring out a good path to security in your cloud configurations can be quite a challenge. This is complicated by the different types of cloud we deploy – public or hybrid – and the class of data and computing we assign to those cloud segments. Generally, one can create a comprehensive and compliant cloud security solution, but the devil is in the details and a nuanced approach to different use cases is almost always required.
Let’s first dispel a few myths. The cloud is a very safe place for data, despite FUD from those who might want you to stay in-house. The large cloud providers (CSPs) maintain a tight ship, simply because they'd lose customers otherwise. Even so, we can assume their millions of tenants include some that are malevolent, whether hackers, government spies or commercial thieves.
At the same time, don't make the common assumption that CSP-encrypted storage is safe. If the CSP uses drive-based encryption, don’t count on it. Security researchers in 2015 uncovered flaws in a particular hard drive product line that rendered the automatic encryption useless. This is lazy man’s encryption! Do it right and encrypt in the server with your own key set.
Part of the data security story is that data must maintain its integrity under attack. It isn’t sufficient to have one copy of data; just think what would happen if the only three replicas of a set of files in your S3 pool are all “updated” by malware. If you don’t provide a protection mechanism for this, you are likely doomed!
We are so happy with the flexibility of all the storage services available to us that we give scant consideration to what happens to, for example, instance storage when we delete the instance. Does it get erased? Or is it just re-issued? And if erasure is used on an SSD, how can we get over the internal block reassignment mechanism that just moves deleted blocks to the free pool? A tenant using the right software tool can read these blocks. Your CSP may have an elegant solution, but good governance requires you to ask them and understand the adequacy of the answer.
Governance is a still-evolving facet of the cloud. There are solutions for data you store, complete with automated analysis and event reporting, but the rise of SaaS and all the associated flavors of as-a-Service leaves the question of where your data is, and if it is in compliance with your high standards.
The ultimate challenge for cloud storage security is the human factor. Evil admins exist or are created within organizations and a robust and secure system needs to accept that fact and protect against it with access controls, multi-factor authentication, and a process that identifies any place that a single disgruntled employee can destroy valued data. Be paranoid; it’s a case of when, not if!
Let’s dig deeper into the security challenges of cloud storage and ways you can protect data stored in the cloud.