Securing Data in the Cloud

When itcomes to data security and cloud computing, many companies indulge in magicalthinking: They envision the cloud as a single type of computing platform guardedby service providers that secure the data and think through the tough issues. Infact, while cloud computing may reduce costs, it introduces new layers ofcomplexity that must be managed by your company?s IT, legal and executivepersonnel.

The realityis that cloud computing presents a spectrum of choices. At one extreme islimited outsourcing, in which the company retains responsibility for most computersecurity, including configuring server operating systems and the data centerfirewall?but not the physical security of the cloud data center itself. In this scenario, your ITdepartment must secure all applications and databases, oversee security patchmanagement, and be prepared for all forms of cyberattack and incident responses.

At the otherextreme, the cloud provider supplies virtually all of the servers, applicationsand security.

In anycorporate network, IT will likely be working with a mix of environments, somebehind the firewall and not in the cloud at all, and others at various pointsalong the spectrum. Since rules for managing computer security risks vary for eachsituation, it?s critical for managers to have an up-to-date matrix showingwhich environments are in the cloud and which are not?and, for the latter, todelineate which security functions must be handled by the provider, and whichby the company.   

Providercontracts must clearly state provider security obligations and responsibilities.That said, be forewarned that many recent hacking exploits relate to systemsand processes normally retained by the company. See the following examples:

?       Phishing attacks?whereby an attacker sends an infectedemailto employees?bypass most forms of perimeter security. The best way to thwartsuch attacks is via user education and good incident-responseescalation policies. 

?       SQL injection attacks?whereby an attacker attempts to gainrights to a server by injecting code into an application running on that server?canbe prevented by writing good application code and testingits security, which is not normally part of a cloud provider contract.   

As a result,granularly defining responsibility for each risk, environment by environment, isthe cornerstone for safeguarding the whole, as is defining the securitymeasures that need to be taken for each risk. 

Here?s afurther complication: Cloud providers often can reduce cost in part bytransferring data to the most efficient location in the stack: an array of theirown and subcontractors? global data centers. Therefore, pay close attention tocontract clauses that allow the use of subcontractors and far-flung locations.

Unless your companyknows which specific entities will be storing your data and where it will bestored, it will be difficult to understand and assess provider security staff,skills and functions. Giving providers free rein to transfer data can also leadto violations of European Union guidelines and other data privacy issues.

Technically,cloud providers may slice and dice a company?s data pertaining to a singleapplication, sending different data to different locations. Clearly, suchpractices can greatly complicate business-continuity measures. Closelyscrutinize cloud provider service-level agreements to understand how theprovider intends to ensure computing and data availability if data aredistributed across the stack.

Quality and Response

Quality andspeed of response are key components of any security system. Incident response componentsinclude the ability to:

?       imageaffected servers;

?       interviewIT staff ;

?       dumpserver memory;

?       copyoff and analyze security logs;

?       increasethe robustness of logging during an attack;

?       restorebackup tapes;

?       monitortraffic during an attack through placement of sniffers; and

?       insert?honey pot? servers into the network to ensnare the attacker, as well as otherintrusive techniques. 

During a denial of service attack?inwhich attackers flood the network with irrelevant data or requests?greatcoordination is needed among the cloud provider, upstream Internet serviceprovider and the affected company to try to divert or filter out irrelevanttraffic. Whether the cloud provider will or can do some or all of these things quickly?andeven whether its staff is qualified to assist?must be explored in advance.

Datadistribution across the global stack can complicate incident response,especially if the provider has contractual rights to change the locations ofdata storage based purely on its own efficiency.

In summary,cloud computing is not a security silver bullet. Instead, it introduces manycomplexities and fluidity into the mix. Managing the risks demands carefulthought, clearly defined lines of responsibility and much parsing of legal fineprint.

Eric Friedberg is co-president ofStroz Friedberg, a global digital risk-management and investigations firmedheadquartered in New York. An expert in cybercrime response, computer forensicinvestigations and electronic discovery, Friedberg is a former assistant U.S attorneyin the U.S. Attorney?s Office for the Eastern District of New York. He can bereached at [email protected].