Get tips for keeping your data secure in the cloud.
Figuring out a good path to security in your cloud configurations can be quite a challenge. This is complicated by the different types of cloud we deploy – public or hybrid – and the class of data and computing we assign to those cloud segments. Generally, one can create a comprehensive and compliant cloud security solution, but the devil is in the details and a nuanced approach to different use cases is almost always required.
Let’s first dispel a few myths. The cloud is a very safe place for data, despite FUD from those who might want you to stay in-house. The large cloud providers (CSPs) maintain a tight ship, simply because they'd lose customers otherwise. Even so, we can assume their millions of tenants include some that are malevolent, whether hackers, government spies or commercial thieves.
At the same time, don't make the common assumption that CSP-encrypted storage is safe. If the CSP uses drive-based encryption, don’t count on it. Security researchers in 2015 uncovered flaws in a particular hard drive product line that rendered the automatic encryption useless. This is lazy man’s encryption! Do it right and encrypt in the server with your own key set.
Part of the data security story is that data must maintain its integrity under attack. It isn’t sufficient to have one copy of data; just think what would happen if the only three replicas of a set of files in your S3 pool are all “updated” by malware. If you don’t provide a protection mechanism for this, you are likely doomed!
We are so happy with the flexibility of all the storage services available to us that we give scant consideration to what happens to, for example, instance storage when we delete the instance. Does it get erased? Or is it just re-issued? And if erasure is used on an SSD, how can we get over the internal block reassignment mechanism that just moves deleted blocks to the free pool? A tenant using the right software tool can read these blocks. Your CSP may have an elegant solution, but good governance requires you to ask them and understand the adequacy of the answer.
Governance is a still-evolving facet of the cloud. There are solutions for data you store, complete with automated analysis and event reporting, but the rise of SaaS and all the associated flavors of as-a-Service leaves the question of where your data is, and if it is in compliance with your high standards.
The ultimate challenge for cloud storage security is the human factor. Evil admins exist or are created within organizations and a robust and secure system needs to accept that fact and protect against it with access controls, multi-factor authentication, and a process that identifies any place that a single disgruntled employee can destroy valued data. Be paranoid; it’s a case of when, not if!
Let’s dig deeper into the security challenges of cloud storage and ways you can protect data stored in the cloud.
Take responsibility for security
The general consensus today is that the large public clouds are safe places to work. Cross-tenancy attacks have been nullified by some CPU hardware changes and code improvements.
Having said that, any installation is vulnerable to the same sort of attacks as any set up, including human error and malfeasance, viruses and other malware, DDoS and password guessing. In fact, your public and private cloud installations typically have a much bigger attack surface than a dedicated server deployment. Assuming the CSP is responsible for security is plain wrong. Just as in any data center, you must pay deep attention to security and shrink the attack surface down to size.
Part of the problem is the volatility of cloud deployments. Instances come and go. Tracking this requires an automated security monitor, software that identifies attempted unauthorized cross-tenant access, spots outside threats, and detects unusual access patterns, among other things.
The first challenge in protecting data stored in a cloud is preventing a hacker who has gotten inside your firewalls from reading, editing or deleting files. The obvious answer is encryption, but what sort? There's encrypting at rest, in transit, at source, and CSP drive encryption. Also, where should you keep the keys?
The safest way is to encrypt key data in the source server and manage the keys yourself. This requires a lot of discipline, but that’s essential for a rugged system. It might be argued that data in transit isn’t so vulnerable, but we are entering an era of SDN with network virtualization, making in-transit protection a must.
Even encrypted data is vulnerable to deletion or damage. Failed hardware, malicious operators or bad software are all contributors to risk. While not just a security issue, there are some common fixes.
One solution is to move data out of the reach of possible mishap. Backups or frequent snapshots are a good way of minimizing the amount of exposed data. The first makes an “offline” copy, while snapshots keep all data and only add new versions when a change occurs. In both cases, only a very small amount of data is exposed.
The working and backup copies of data also need to be secured by replication or erasure coding across geographically-dispersed zones in the cloud. Don’t put all your eggs in one basket! Physical security for power grid systems isn’t as good as for the public cloud data centers themselves, which are also at risk of acts of God. Prolonged loss of access to data is just as much a security issue.
(Image: Maksim Kabakou/Shutterstock)
Many clouds -- and data centers -- suffer from sloppy data management. There are surplus, old or partial datasets scattered all over the storage pool. Trash collection is a huge and difficult task, complicated by versioning of files and a lack of naming discipline that leads to many files with the same or similar names.
These are all security risks. The possibility of a critical file getting into a low-security area can’t be ignored. The answer is to first keep a tight grip on data proliferation using deduplication, which was intended to save storage space but security might be a much more important application, and removing extra copies from storage.
Deduplication won’t get rid of files in wrong places. This requires a metadata-driven approach that puts a life expectancy and location, copying and other controls on data. These tools are just entering the storage market.
Protecting APIs and images
When OS, toolset or app code images on cloud nodes get out of sync, we can get boundary errors that mess up data. Files get left behind, edits hit the wrong data, or, in the worst case, the data and code are incompatible and data corruption occurs.
This can happen through careless upgrades of code, where some nodes are left using older code revisions during operations. It is possible for malware to exploit the lack of sync. The solution is to use available software for automated updating of code images across all nodes, with auditing to check that the update is properly executed and running.
If you want secure operations, NEVER trust people! A notable portion of major data losses have an insider involved, but that’s not the only people issue. The most common password in the world is “123456” and hackers will try it. Assume passwords are always compromised. Use multi-factor authentication; it's a bit slower, but much safer.
The other part of the people issue is admin error. There is a risk of finger trouble, especially with CLI-based software, where a simple transpose by a tired admin might delete all your records. Anticipate this and limit who can do certain tasks. Limit access, too, so that admins cannot enter systems they don’t know well.
Much of the data stored today is tied to mobile devices. Some can be tied down by two-factor authentication, but the risk of a mobile user accessing data in unauthorized places and stealing files is a crucial risk. This can be accidental; who hasn’t taken work home? But that data is not only out of controlled storage, it's in a place where security is potentially compromised.
Control shadow IT
Shadow IT accounts for a significant portion of total IT spend today. It is outside of IT's control and insecure, yet most organizations have data flowing back and forth between shadow set ups, usually in the cloud, and corporate-controlled space.
This is a major hole in the security wall. The best fix is to provide a more attractive service and kill off the desire for shadow IT. This means being proactive and providing a flexible, agile, cost-driven cloud service, whether that's private, public or hybrid, to your users.
SaaS is a related problem. Most SaaS vendors are in public clouds and getting them to comply with your governance can be a challenge. This is a major security issue, since they “own” part of your data and also provide a broad gateway to more stored information. Adding encryption and tightly controlling access to your data are just two big steps towards solving this problem.