The first line of defense when securing data in the cloud

The first line of defense when securing data in the cloud

Apple’s opposition to an FBI request to unlock the iPhone of Syed Rizwan Farook, the shooter in the December terrorist attack in San Bernardino, CA, has raised the issue of data privacy and security, not just on individual devices but also when devices are connected to the cloud.

Your device or on-premise server might be protected, but what about when you connect them to the cloud? It may be vulnerable to attackers or be subject to government requests.

Cloud security introduces different challenges because there are more players, said Mark Nunnikhoven, vice president of cloud research at Trend Micro Inc. Also, the type of security you want depends on what you want to protect your data from. Do you want to protect it from hackers or protect it from government agencies?”

It’s an issue a lot of companies are thinking about and taking steps to address, said Ellen Rubin, CEO of ClearSky Data. And the first line of defense for them, she said, is encryption. In fact, the argument any cloud service provider (CSP) will make is that if you are concerned about your data—whether because of hackers or governments wanting access—you must encrypt your data, she said.

And the data must be encrypted at rest, as well as in transit to the cloud—whether it’s a public, private or hybrid cloud environment, Nunnikhoven said.

The large public CSPs, including Amazon Web Services, Microsoft Azure and Google Cloud Platform, include security features. When selecting a CSP, companies need to make sure the provider has the same types of security controls as when protecting information on an internal system, said Jim Reavis, CEO of the Cloud Security Alliance.

“This will include some combination of encryption, access control, strong authentication, and intrusion detection—but implemented in a cloud-native way, such as security as a service,” he said. “Not vetting your cloud provider is the real risk you take in storing data in the cloud.”

RELATED:  The best features in cloud-based apps are also security risks

Who has the keys?

The bigger issue with encryption is what happens to the encryption keys. If the data is encrypted, the keys exist somewhere. Where should you put them? Who has control of them? How do you protect them?

“If the answer is that the cloud provider can never have access to the keys, then you’re in pretty good shape. Because even if something happened and people stole your data or subpoenaed it and demanded it, all they would get is encrypted data that they can’t decrypt,” Rubin said.

If the keys aren’t going with the data into the cloud—they are separated and put into some other device—you’ve created a level where no one entity would be able to give someone access, she said.

“I think that is just table stakes now. I don’t think anyone can go into the cloud without considering it because you just don’t know what will happen,” she said. “Anything you have any concerns about at all, not even just sensitive data, should be encrypted.”

Nunnikhoven pointed out, though, that even if data is encrypted, it doesn’t mean it is secure from everything. Because law enforcement agencies can make companies release data.

“In most cases, any company operating in the United States is going to comply with the legal requirements,” he said.

Photo credit: old via photopin (license)
Michelle Davidson

Michelle Davidson

Michelle Davidson is a staff writer for SiliconANGLE, covering the cloud computing market—Infrastructure as a Service, Platform as a Service, Software as a Service and more.

Prior to joining SiliconANGLE, Michelle was an editor at RAIN Group; an editor at TechTarget, managing the Search400 and SearchSoftwareQuality sites; and a senior production editor at Computerworld.

When she isn’t writing about technology, Michelle is gearing up for her trivia team’s next tournament. She’s the team’s go-to person for literature, art, Academy Award winners, Emmy Award winners, politics and—of course—technology.

Have a cloud computing news tip? Tweet it to @siliconangle.
Michelle Davidson

SIGN UP FOR THE SiliconANGLE NEWSLETTER!

Join our mailing list to receive the latest news and updates from our team.

SIGN UP FOR THE SiliconANGLE NEWSLETTER!

Join our mailing list to receive the latest news and updates from our team.

Submit a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Share This

Share This

Share this post with your friends!