Protecting Critical Data in Cloud-based Services

By Sudhindra Kumar, Principal Software Engineer at NextLabs, Inc.

Cloud has revolutionized the way information is stored and shared. Cloud can increase business efficiency by enhancing collaboration, increasing accessibility, and improving work flexibility. These are driving more and more businesses toward cloud-based services. A recent survey conducted by Dell shows nearly every IT decision-maker said their company either uses or plans to use cloud services. Of those using cloud, 72% of organizations experienced 6% business growth in the past three years. Cloud leads to greater business value and opens new opportunities to the enterprise.

With more enterprises migrating to cloud-based services, data security in the cloud has become a prime concern for companies. Storing data in the cloud often compromises a company’s authorization control. Most companies face multiple barriers to cloud adoption. Some of the top challenges to cloud security include data loss, privacy risks, general security risks, risks of intellectual property theft, and transparency of operational controls.

As more and more sensitive data moves to the cloud, data breaches and compliance violations have become serious business. PwC’s Global State of Information Security Survey 2015 points the finger at current and former employees, who are the most-cited culprits. Whether accidental or intentional, the survey claims that insider crimes are more costly and damaging than incidents perpetrated by outsiders.

Image_for_Article_One_ Cloud_Data_SecurityThe traditional security solution is not suited for information centric problems. Companies were using Permissions, Access Control List (ACLs) and Roles to manage data security. The solutions were applied to containers, applications and service, but when data left the container, it was no longer protected. Traditional solutions can not address internal data security.

Today’s data is a lot more dynamic and moves from application to application, from servers to desktops to tablets and smart phones that the company does not even own. In the new extended enterprise, companies must leverage new methods to protect data. Leading analysts such as Gartner, Kuppinger Cole and standards bodies such as NIST have recommended the use of Attribute-based Access Control (ABAC).

Information Control Policies are the digital renditions of an organizations’ compliance, legal, and security policies. These Attribute Based Policies enable dynamic evaluation, taking into account the identity of the user, value of the content and the environment (e.g., Network Location, Channel/Application, Time etc.)  They provide fine-grained, data level control that can scale across large organizations. Once these policies are defined, it is critical to record the information activity across the data lifecycle and across applications. Constant monitoring to ensure compliance and timely refining of policies to meet changing business needs are vital to maintain the effectiveness of the policies.

Another critical component of a good data protection strategy is ‘Encryption’. It is important to encrypt data in motion as well as at rest. Choosing a strong encryption algorithm and defining a good key management policy are critical for the successful usage of encryption. The generation, storage, distribution, recovery and destruction of encryption keys must be well defined in the security policy.

Last but not least, you should also consider Rights Management. With Rights Management, you can control access to your cloud data and also how the cloud-stored data can be used. It works particularly well for unstructured data, such as documents and files stored in the cloud – think Google Drive, Dropbox or SkyDrive.

SaaS (Software as a Service) brings in new complexities to data protection. Automating the protection of data on SaaS is harder since you typically have much less control over how data is managed on these services. Major SaaS providers do provide options to encrypt sensitive information. If you trust the provider, you can settle for the encryption they provide. Otherwise, you can encrypt the data yourself before sending it to the SaaS application.

There is no silver bullet for data protection in the cloud. A combination of Strong Information Control Policies, Encryption and Rights Management can help negate the risks of migrating critical data to the cloud.

Leave a Reply

Your email address will not be published. Required fields are marked *