Is data safer in the cloud?
With MI5 and GCHQ recently urging the FTSE 350 to redouble its cyber-security efforts in light of “unprecedented” levels of attack on UK PLC, and with a growing number of these enterprises among others outsourcing their infrastructure to the cloud, it’s worth asking: does the shift to the cloud actually keep corporate data safer – or undermine cyber-security measures?
Security is indisputably a leading – if not the top concern among most enterprises looking to host core, mission-critical systems or business solutions in the cloud, sometimes putting businesses off the whole endeavour from the get-go. But recent surveys also suggest business that have migrated some systems to the cloud view security as one of the chief benefits associated with doing so. Is security in the cloud, then, simply a matter of perception?
“I don’t think security is better or worse in the cloud than it is with networked on-premise equipment,” said Alan Calder, chief executive officer of IT Governance, a firm providing risk-management, compliance and cyber-security educational expertise.
“Ultimately there is never a penetration test where we don’t find a vulnerability, but that’s the nature of providing services in today’s environment,” Calder says, adding that there’s really no evidence to suggest cloud providers are “hotter at security” than traditional solutions enterprises may be using.
Whether they’re using cloud services or not, most enterprises have implemented some level of protection against cyber-security threats ranging from system-specific hacking to phishing emails, and there exists today a wealth of security solutions vendors – too many to list – out there offering solutions to ensure against info-gathering trojans and other viruses potentially compromising systems today.
But it doesn’t necessarily seem like systems today are becoming less secure; rather, the frequency of attacks seems to be increasing. According to KPMG’s Data Loss Barometer, hacking of information held by businesses has jumped globally from eight per cent of total data breach incidents in 2010 to 52 per cent in 2012, a fairly big jump.
“The interesting thing about cyber-security as an issue is it’s suddenly become fashionable in the last 12 months to the point where boardrooms are starting to worry about it, but it’s essentially the same set of issues that we’ve had around for ten years,” Calder says.
Calder may be right, but even with the various encryption technologies on the market at the moment some believe today’s solutions – particularly those at the software-level simply aren’t enough to protect against intruders.
And with cloud, it seems the added fact that the bare metal machines are outsourced only adds fuel to the fire.
Technologies can help
“You are essentially trusting the service providers with everything. You might be taking steps on the software side, different mitigations within your control, or you could bring things back on premise but I think the economics will be too compelling for that to happen,” said Steve Weis, chief technical officer and co-founder of PrivateCore.
Weis, formerly a member of the applied security group at Google and responsible for the company’s two-step verification, helped pioneer a new approach to data security that takes advantage of some of the features built into today’s CPUs – namely large caches and cryptographic features – in order to ensure data remains encrypted in processing, rather than simply at rest or in transit.
“I can write a gateway that could encrypt each individual field input into Salesforce.com for example, and use that application for fine grained storage, and this works fine for some applications. But the problem there is that you need to re-write how you use applications and you’ll lose some of the functionality in the process,” Weis says. “There’s also several different gateway encryption approaches where essentially you keep some server on premise and encrypt data before it ever hits the cloud, a fine-grained data at rest strategy, and that can be a viable solution for some – but not all.”
PrivateCore’s technology is aimed at companies looking to secure their data throughout its entire lifecycle, and is particularly relevant for companies with an interest in keeping their data safe from both digital and physical breaches (for those put off cloud by recent PRISM revalations, this next bit may be particularly relevant). So you might have a large encrypted volume on, say, Amazon S3, and in order to process it you’ll need to pull in all that data, decrypt it, operate on it and write out the result somewhere, but if you do that processing in the cloud the keys and data are exposed. “The approach we’re taking is to actually protect that data while it’s in use,” Weis says, adding that with the virtual machine secured it’s nearly impossible for a hacker to jump from system to system as well.
“Enterprises need to realize that if they process data or encrypt data on outsourced infrastructure, the data and the key may be vulnerable to physical types of compromise too. So they either need to encrypt end to end or accept the risk,” Weis says.
“The flip side of this PRISM story is that at the core there is always a trusted insider. So if you’ve got your own enterprise, your own datacentre, you’ve got a lot of people working there, a lot of human dependencies. So I could be doing all the right things with cages, cameras, physical and software based systems, but the weakest link will always be people,” he says.
It starts and ends with people
The perception that people are often the biggest cyber-security threat seems to be permeating board rooms as well. A recent survey of nearly 300 board executives conducted by IT Governance shows that 53 per cent of respondents believe their own employees pose the biggest threat to corporate data and computer systems.
Calder says that the overwhelming majority of security breaches resulting in data loss are the result of an employee sharing something accidentally or deleting something they shouldn’t have, not being hacked externally – with even fewer breaches involving physical interception.
But he also believes that while end-to-end encryption and software-based cyber-security measures are just as important with cloud-based infrastructure solutions as they were with other IT solutions ten years ago, enterprises today need to address the fact that personal interaction with the cloud is shaping employee practices on digital platforms in and outside of the workplace.
“The biggest risk for enterprises is people bringing these practices back into the office. When people go home they may have lots of people sharing a computer, their wireless networks aren’t necessarily encrypted and they may not use strong passwords,” Calder says, adding that increased interaction with cloud services means users are likely to import ingrained behaviours into the workplace, particularly as popular offerings like Dropbox or Google Apps straddle enterprise and consumer environments.
“Enterprises should put more emphasis on teaching people the impact of their behaviour on the security of their organisations, and on their own security. If there’s a cyber-security danger it’s because enterprises aren’t teaching people how to look after themselves, not because the solutions aren’t sophisticated enough,” Calder says.
“It’s not just their responsibility; it’s in their self-interest to train employees on this,” Calder says.