The iCloud naked photos leak, the AWS casualty Code Spaces, and the NSA PRISM Surveillance Programme… all have caused a crisis of confidence in the cloud. These highly publicised incidents have caused us to question the security of the model as a whole. But are these fears justified?
Recent research published by the Cloud Industry Forum (CIF) claims that there is a discrepancy between the perceived threat to data security versus the actual risk. CIF surveyed 250 senior IT and business decision makers in the UK with 61 percent reporting concerns over data security. However, only a tiny fraction of those polled - two percent - had actually experienced a Cloud service-related security breach.
What does this tell us? Firstly, that we are now operating in a more open environment, where disclosure is becoming the norm. Consequently, we are now better informed of when a breach takes place: knowledge that should help us counter security threats and enable Cloud Service Providers (CSPs) to improve their offerings.
But the CIF survey also reveals that our fear of a security breach is out of step with reality. And that fear could well stymie the very growth that fuels business innovation and the development of security best practice.
The CIF Survey concludes that confusion over the "legal, regulatory and security environment" is rife. Yet these hurdles are not insurmountable. By being highly selective, negotiating terms, and setting out clear service level agreements (SLAs), the client can venture into the cloud with confidence.
Regulation is perhaps the easiest issue to address, as CSPs often specialise in a particular industry and are familiar with regulatory nuances from HIPAA in the US to PCI DSS. Ask the CSP if it has any big name clients running mission critical applications in the Cloud and for demonstrable evidence on how regulatory needs are met.
When it comes to legal protection, significant strides have been made over where data can be stored. Changes to data protection laws mean that data cannot be passed or stored outside of the European Economic Area (EEA) except where adequate protection has been put in place or to a pre-approved country. This should help prevent access against the wishes of the client (data housed on US soil can automatically be accessed by the US government, for example).
If, despite best efforts, the organisation is unfortunate enough to suffer a breach, it is possible to seek legal redress provided the CSP adheres to BS 10008:2008. This includes a clause on ‘Evidential weight and legal admissibility of electronic information specification' which makes provisions for the evidence needed to file a legal dispute.
By far the biggest hurdle for many is security, with data in the cloud perceived as being at more risk than when housed on the premises. Consequently, many organisations opt for a hybrid cloud model, a mix of in-house and virtual private cloud. But for many SMEs, the cloud presents a more secure environment as it affords access to the kind of security protection few can deploy in-house.
For the big guns, advances have again been made that should go some way to providing reassurance. Data encryption is now coming of age, with Google, Amazon and Microsoft all recently adding server-side encryption for data at rest capability to their existing cloud services. But effective encryption requires careful key management. If keys are inherently weak, transmitted insecurely or not rotated properly, encryption becomes meaningless.
When it comes to assessing cloud encryption key management providers, look at their credentials. If they are using a product, what is it, how is it built and to what standards? Some standards such as NIST FIPS 140-2 also include key management mechanism considerations and may provide a suitable level of assurance for the majority of cases. The SLA should give details of the encryption being used.
Cloud is still a nascent technology but if organisations have the courage to demand better security, CSPs will provide it. Many are now adopting ISO 27001, ISAE3402/SSAE16 and CSA STAR. CSA STAR, a new international cloud security certification programme developed jointly by the CSA (The Cloud Security Alliance) and BSI (British Standards Institution) launched last year, is evidence of how swiftly the sector is reacting to market demand for regulated offerings.
Contributed by Jamal Elmellas, Technical Director, Auriga