If you think your data is safe on the public cloud, think again
May 15, 2020

With its promise of increased efficiency, scalability and agility, more and more organisations are adopting public cloud services.

Yet many security professionals are voicing their concerns loudly and clearly; citing security issues such as data loss, data privacy, compliance, accidental exposure of credentials, and data sovereignty.

In fact, according to a recent survey (conducted by Synopsis and covering 400,000 members of the Cybersecurity Insiders information security community) a staggering 93% of cyber security professionals stated that they are “moderately to highly concerned” about public cloud security. (To download the full report click here.)

While this figure is truly astonishing, it should as no surprise when you consider the fact that nearly 30% of cyber security professionals admitted that they had experienced a public cloud-related incident in the last year.

With this in mind, in order to ensure your organisation’s all-important data is as safe as possible, below is a list of some of the key considerations you should pay special attention to before rushing into adopting public cloud services.

Ultimately, the security of your data is your responsibility.

First and foremost, you must recognise that this is a shared responsibility model. As a result, you take responsibility for security to and from the cloud, while the Cloud Service Provider (CSP) takes responsibility for security within its cloud infrastructure.

It’s true that CSPs such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) are offering increasingly robust security to protect their evolving cloud platforms , and have to meet very high standards as set out by the Cloud Security Alliance (CSA).

But while this may unburden your organisation from proving compliance, ultimately any fallout and fines that result from data loss or compromise, even if it is the fault of your CSP, will fall squarely on your shoulders.

Data Sovereignty and Compliance.

As increasing numbers of organisations conduct business globally, there is a growing requirement to adhere to strict regulatory and compliance requirements that mandate where your data can be held, such as the European Union’s General Data Protection Regulation (GDPR).

Yet many CSPs store, backup and replicate data in multiple data centres, the physical location of which could well breach regulatory or legal compliance. As a result, a CSP must be able to demonstrate that it has data centres that comply with any data sovereignty regulations and are therefore to geo-fence your workloads.

It can be difficult, if not impossible, to verify that your data exists only at allowed locations. As a result, you need to ensure that your CSP is being transparent about where their servers are being hosted and equally importantly that they adhere strictly to any pre-agreed Service Level Agreements (SLAs).

Furthermore, you need to be in a position to fully enforce any compliance requirements through continuous monitoring and alerting, as laid out by the relevant policy-based templates, ready in the event of any audits.

Make no mistake, public cloud vulnerabilities are growing by the day.

The steadily increasing popularity of the public cloud has been mirrored by increasing numbers of cloud security incidents.

The consequences of such an incident can be catastrophic. One well documented example was the theft of over 100 million records from Capital One by a former Amazon Web Services (AWS) employee who exploited a well-known cloud computing vulnerability.

This puts into sharp focus the importance of paying close attention to security in the context of the public cloud, but also recognises that despite the best defences in the world, no system is completely secure – especially when you factor in the human element.

Reduce risk through the use of encryption and role-based access control.

In the annual Cost of a Data Breach Report, conducted by the Ponemon Institute and sponsored by IBM Security, the extensive use of encryption was highlighted as the number one factor in preventing and mitigating the impact of a data breach.

Any CSP worth their salt, should be able to offer you the very highest level of protection against any tampering such as a FIPS 140-2 level certified hardware security model. This will enable you to access functionality while ensuring that no one else (including CSP administrators) has access to encryption keys at any time or at any point.

Now add to this role-based access control and you greatly reduce the risk of breaches and data leakages and ensure greater compliance through the careful management of who has access to sensitive information.

The downside to encryption is that it relies on those users with access to remember to enable the encryption and manage the keys properly. This can add considerably to the overall cost, and as a result negates many of the savings normally associated with migrating to the cloud.

Pay special attention to the entire lifecycle of your data.

In order to ensure the efficient management of the flow of data throughout its lifecycle, you should first categorise your data into four main groups, public, internal, sensitive and restricted. Defining the different data types will help you to establish set guidelines as to its criticality and value to your organisation and determine whether you should adopt public cloud, private cloud or on-premise services.

With public cloud adoption in mind, special attention should be paid to the destruction of data at the end of its lifecycle, especially when there are mandatory regulations or compliance issues.

With the on-premise IT environment there are several options open to an organisation: the physical destruction of media and hardware, degaussing, overwriting, and cryptoshredding. With the public cloud, most of these options are simply not feasible, because the CSP owns the hardware making physical destruction almost impossible. 

That leaves cryptoshredding as the only viable and realistic option for data disposal in the public cloud. And as mentioned previously, this requires that your data be encrypted in the first instance and carries with it the burdens of human error and increased costs.

Choose your CSP wisely.

If you do decide to make the leap and migrate your data to the cloud, first and foremost choose a CSP that offers the very highest levels of protection and expertise. In addition, pay special attention to reducing risk; covering areas such as encryption, access control, monitoring, visibility, data sovereignty and all associated compliance and regulatory requirements.

Furthermore, any cloud platform needs to be very closely integrated with any on-premise virtualised environment. This way you will be able to run workloads in the cloud that deliver maximum uptime availability at the virtual machine level, while also taking advantage of configurations such as stretched clusters in order to reduce risk and increase the availability of critical applications.

Summary: migrating to the public cloud could cost you a fortune and leave you vulnerable.

Caveat emptor!

As workloads continue to move to the cloud, organisations of all sizes and sectors are recognising the complications of protecting their data.

The reality is that there is no one-size-fits-all solution. When considering migration or integration into the public cloud, first and foremost you have to consider how it will affect the IT systems and infrastructure within your particular organisation.

Regulatory compliance, the sensitivity of the data you are holding, geographical location, these are all factors that will determine whether or not the public cloud is a suitable solution. Even within an organisation itself, there may well be data that can be migrated to the cloud, while data that requires added security and control would be better placed in a private cloud or on-premise data centre.

But even with highly specialised teams working tirelessly to provide a wide variety of options to secure and provide access to the public cloud, the security of the end result is still dependent on the customisation and configuration by the organisation itself.

At the end of the day, the single most quoted reason why many organisations have considered migrating to the cloud is the promise of lower costs.

But when you consider all of the above, the security, the regulatory compliance issues, the data lifecycle and the cost of securing your data, then it doesn’t seem quite so profitable after all.

To discuss your IT requirements and the different options available to you, contact Peter Grayson on 0161 537 4980 or email peter.grayson@quadris.co.uk

More Articles