Q&A: Public Cloud Security
What IT should do to secure data in the cloud.
Security remains a top concern of IT when considering a move to the cloud. What are the issues and misconceptions about cloud security, and what should IT do to protect itself? For answers, we turned to Robert Jenkins, CTO and co-founder of CloudSigma.
Enterprise Strategies: What is the biggest security threat for organizations storing data in public clouds?
Robert Jenkins: SMBs and enterprises storing data in the public cloud still expect their data to be ”private,” and when private data goes public, it’s a serious concern for everyone. This is called data leakage, and it occurs whenever proprietary data stored in a multi-tenant environment (like a public cloud) falls into the hands of an unintended third party. Data leakage usually happens because the cloud provider’s actual physical disks are exposing some of a customer’s data to either another customer or a malicious hacker.
When proprietary data falls into someone else’s hands, it is a problem for both the cloud provider and the customer. This data could be credit card information, confidential earnings reports, or Social Security numbers. Unfortunately, data leakage creates mistrust in the public cloud, and that’s bad for the industry as a whole. It’s important to emphasize that this is not a problem inherent with public clouds.
What is the biggest misconception about the dangers of the public cloud?
The biggest misconception is that it is inherently more vulnerable to security threats than in-house data centers, colocation facilities, or any other source of infrastructure services. Given all the alarmist headlines popping up around the dangers of the cloud, it’s not surprising that people have this misconception that the cloud has unique security vulnerabilities. In fact, a 2012 report found that security problems were the primary concern for 48 percent of IT professionals who didn’t plan to adopt cloud.
However, the cloud itself is not inherently dangerous. Gartner analysts forecast that 80 percent of security issues in the cloud through 2013 will be due to error on the part of providers and customers of cloud services, not fundamental issues with the cloud. Security threats in the cloud usually emerge because of irresponsibility for how public cloud services are delivered and used. That’s why the only way to reverse misconceptions about security in the cloud is to educate both vendors and customers about better cloud practices.
What are ”dirty disks,” and what can organizations do to protect themselves against them?
So-called dirty disks are the physical disks used in a multi-tenant environment that are exposing one customer’s data to another customer. Specifically, the dirty disk issue occurs when part of a “deleted” virtual drive has overlapped with a new virtual drive on the cloud provider’s actual physical disk, exposing some of the first customer’s data to another customer (or, in a worst case scenario, a cybercriminal). However, in the case of dirty disks, the disks themselves aren’t really at fault. The problem is that the customer or vendor (or both) didn’t take the right precautions when migrating their data to the cloud environment.
Unfortunately for the cloud customer that is a victim of data leakage, the data they thought they deleted when they erased their virtual drive was still stored on the vendor’s physical disk. It’s normal for virtual drives to share space on physical disks, and it’s the way cloud computing works. It’s only a problem if the data hasn’t been properly encrypted and is suddenly public when a new drive spins up where someone’s “old” data still exists.
What are the most important steps vendors and their customers can take to make clouds more secure?
Customers need to be vigilant no matter where they are storing their data. You wouldn’t leave a physical disk containing highly sensitive data on a public park bench, so why would you store sensitive data in a shared, multi-tenant public cloud without taking any precautions to keep it secure? The most important thing a public cloud customer should do is encrypt their data to make it unreadable to third parties. This can be done by encrypting data within the operating system or by fully encrypting the operating system itself. However, both of these data encryption methods aren’t completely reliable because the customer must manually encrypt regularly in an environment where drives are constantly created and destroyed.
A more feasible approach is to have the entire virtual drives encrypted each time they are created, an option most vendors should offer. That’s why security is best solved at both the customer and vendor levels. In fact, security issues often result because vendors lack transparency and don’t take steps to educate their customers. Realistically, most people are new to the cloud and don’t recognize the risks involved. They need help, and the vendor should help them by creating a safe and secure environment for data storage and by creating rules, procedures, and protocols that keep customers fully informed. As in any industry, cloud computing demands that every participant “plays by the rules.”
On a related note, it’s worth mentioning that malicious security breaches still happen largely as a result of insecure passwords, both inside and outside of the cloud. A proper secure password policy is therefore absolutely essential to keeping out unwanted visitors and ensuring data is secure.
What products or services does CloudSigma offer to keep data safe in the public cloud?
CloudSigma takes very simple but essential steps to ensure that data leakage and other security issues don’t occur in our public cloud. We are completely transparent and we educate customers upfront about how their data is stored, where it is, and what precautions they should take to protect it. Our customers also have the choice of complete virtual drive encryption every time they spin up a new drive. We provide this using a 256bit AES triple encryption cascade, and the performance impact is limited to just a 10-15 percent reduction. With this approach, customers don’t have to manually encrypt their data all the time, and they can sleep soundly knowing that their data remains completely private in a public cloud environment.