Q&A: Securing Data in the Cloud
Data in the cloud needs protection as stringent as that applied to on-premise data. What are the enterprise risks, how does the cloud impact compliance, and how can you address the security risks? For answers, we asked Derek Tumulak, vice president of product management for Vormetric, a company that specializes in enterprise data protection (including encryption and key management), to share his knowledge and recommendations.
Enterprise Strategies: With the growth of cloud technologies, data is flowing as never before between on-premise and cloud sites. What kind of new threats does this expose an enterprise to? Are these new threats or just variations of what IT has been fighting for years?
Derek Tumulak: The primary threat with the adoption of cloud technologies is any data that an enterprise is responsible for is no longer contained within the enterprise's IT infrastructure. Presumably, sensitive information is being stored in the cloud service provider's infrastructure, whether it be in Amazon Web Services or Salesforce.com.
There are other threats, such as when data is in transit or access control to the cloud service is compromised. From a technology perspective, many of the foundation pieces for securing data already exist but may require more attention and investment. From a business perspective, CIOs need to consider the implications of data living in someone else's infrastructure. In the end, it is a combination of old and new threats in a constantly evolving landscape.
Are some cloud technologies inherently safer (such as private clouds) than others, or is this a myth?
Private clouds are certainly safer if you make the assumption that you can trust your internal staff more than the employees at a public cloud service provider. Private clouds are typically based on virtualized systems and introduce a new set of threats. What were once physical machines that might have been difficult to access now exist as files that move quickly and easily, particularly with increased bandwidth and storage these days.
This is still inherently safer than a public cloud environment where a separate business entity has access to your data and where multi-tenancy means your data could potentially be comingled with information belonging to other users of the cloud service, some of which may be your competitors.
What's the impact of cloud technology on compliance?
Generally speaking, compliance requires that data be secured based on a set of best practices. Public cloud services introduce new risk that did not previously exist and so regulations and compliance mandates need to evolve to ensure that organizations are properly managing the risks associated with utilizing public cloud services for increased efficiency and cost savings. Some public clouds do pose compliance challenges because they are not as readily accessible to auditors as on-premise infrastructures.
How are enterprises reacting? Are they tackling the problem (and if so, how), is this a problem that they're ignoring, or a problem they just aren't aware of?
Most organizations are certainly aware of the risks associated with cloud computing. Looking back six years, most IT organizations were resistant to adopting what we today call cloud services, and they resisted introducing consumer mobile devices into their ecosystem.
The real driver in the last several years was that enterprises recognized the deployment speed and efficiencies that could be gained by adopting cloud technology. As with most disruptive technologies, when they move into the mainstream, hackers learn to exploit their vulnerabilities, and vendors and IT organizations respond by implementing technologies and measures to stop hackers.
Much of data security, even from a cloud perspective, is related to risk management. The goal is to invest the right amount in technology, processes, and training to limit exposure to an acceptable level. What can be problematic is when an organization invests too little (leading to large data breaches) or when an organization invests too much (diminishing returns).
What best practices can you recommend for addressing these security and compliance challenges?
In general the best place to start when looking to address security and compliance challenges is to develop a long-term (about three years) strategy for where you want to take your organization. This includes understanding what is realistic, prioritizing the systems with the highest value data and risk, and determining where technology investments will be made in the future (i.e., adoption of public cloud services).
Once a long-term strategic plan is in place, an organization can take a look at where immediate risks exist and what compliance mandates need to be met in the near-term. The near-term implementation should be guided by the long-term plan. For example, if securing a legacy system is too costly, it may make more sense to apply a form of compensating controls to that environment and look to aggressively phase out the system.
In addition to technology, organizations must invest in education and put in place appropriate processes for a successful implementation. Part of this includes a comprehensive response plan in the event that a breach does occur (digital forensics, customer notification, rekey, etc.) to minimize impact and to ensure that the same type of breach does not happen again.
As part of this strategy, organizations should work closely with security vendors, analysts, and peer organizations to stay current on market/technology trends and be aware of approaches that others are using to solve similar problems. In the end, it's about having an evolving well thought out long-term plan that has a degree of flexibility to address the immediate needs of the business.
What products or services does Vormetric offer to improve compliance?
The Vormetric Data Security product portfolio provides data protection solutions to secure and control enterprise data at rest. Vormetric Data Security allows enterprises to encrypt sensitive data, control access to that information, and report on who is accessing the protected data. Vormetric supports all of the major platforms -- Linux, Unix, Windows -- and can be used in physical, virtual, and cloud environments. The Vormetric Data Security family of products provides a centrally managed and high performance system to manage data security across the distributed enterprise. Vormetric Data Security deploys easily while providing a strong combination of encryption, access control, key management and audit for files and databases.
James E. Powell is the former editorial director of Enterprise Strategies (esj.com).