In the late ‘90s when consumer Internet was relatively new, there was a controversy swirling around online commerce: is it safe to use your credit card online? Fast forward to today. Online commerce is ubiquitous, and one of the largest credit card breaches recently occurred in Target’s brick and mortar stores. Now with enterprise cloud computing, there’s another controversy swirling: is it safe to store your data in the cloud? As a provider of EMC cloud services—including Mozy and Spanning—and in working to tier our on-premises storage products to an EMC object service, I’m often asked this question. The answer depends upon the level of security deployed by the cloud service. Just as online commerce sites vary in their level of sophistication, so do cloud services when it comes to security features, operations, and compliance.
By federating identity and authentication with employees’ corporate authentication service, IT can make access to these services more convenient and more secure. Revoking a former employee’s corporate credentials also revokes access to the associated cloud service. Data should be encrypted in transit and at rest, and customers should have an option to either use encryption keys provided by the cloud service or apply their own corporate encryption keys. To validate that the data arriving in the cloud is exactly the same as from the point of origin, the service should apply a payload integrity validation check, which safeguards against either accidental or intended corruption in transit. And a solid role-based access schema will ensure authorized users can only perform the duties for which they are intended, reserving privileged/administrative rights to the few, while allowing capabilities such as simple reads and writes to the many. Finally, to respect data sovereignty laws, the service should provide geographical data residency options.
Now that the right data has landed in the right place, let’s review the data center operations to make sure it stays that way! Physical access must be strictly controlled on building and cage entrances by professional security staff utilizing video surveillance, alarm systems, and other electronic means, while legitimate access is granted through two-factor authorizations (for example, passcode and fingerprint) and strictly enforced visitor policies. But even more important is cyber hardening of the perimeter, hosts, and applications. Even one security hole in the perimeter could be exploited to gain access through the intended boundary, allowing access to the high-value servers and data within the product environment. In this sense, an ounce of prevention goes further than a pound of cure. Steps like ongoing vulnerability monitoring (especially critical zero-day vulnerabilities) and solid patching practices are essential. Add to that a practice of gold image creation and maintenance that contains all necessary configurations to ensure the hosts are configured securely; for instance, all unnecessary services are turned off at install. Access management is also crucial, and increased security measures for legitimate administrators, such as two-factor authentication with one-time passwords like with RSA’s Secure ID capabilities, go a long way in preventing brute force password hacks.
The next step in prevention is early detection. While the expectation of a perfectly hardened environment is a noble one, in reality, active monitoring provides an ideal air cushion in the event a flaw is exploited somewhere along the way. Tools such as RSA Security Analytics provide alerts from both unexpected log activity and indicators of compromise within the active network traffic flow, while ensuring log and network capture data is maintained in an unalterable state for future investigations and forensic needs. And in case the worst happens, the service needs a trained incident response and containment team available 24/7.
How does one know that a service is taking these measures? That’s where it can be helpful to have a thorough attestation of the level of security provided. There are self-certification attestations, such as assuming responsibility as a Business Associate under HIPAA, and there are independently certified attestations, such as SOC I or 2 Type 2, ISO 27001:2013, just to name a few. In addition, some services employ security professionals to help address customer-specific inquiries and reviews.
When it comes to security there are no absolutes, but with the right security features, operations and compliance in place, a cloud service can provide the same or better protection than on-premises data protection options. After all, corporate IT environments are also susceptible to attacks, and most of them are not held to the same standards or external reviews described here.