January 16, 2011 CLOUD COMPUTING,CLOUD SECURITY,DATA SECURITY

Data Security and the Cloud

One of the worst issues for data security is that many, even among the security professionals, confuse that expression with network security, and believe that an IPS is all it takes to secure their data. In reality data security is a much larger issue, that includes network security only as part of it.

Over the past four years, there has been an overwhelming yearly increase of new malware. This is causing serious issues to the AV community, because the antivirus companies can’t keep up. The traditional method of grabbing a sample, preparing a signature, sending it to regression tests and releasing it after maybe six hours no longer works.

Enter the cloud – which is making things a whole lot worse. Today in the cloud many companies are installing their servers without any security, and those who do deploy some form of security, install a basic firewall and nothing more. Most of the times, no AV on the servers, no IPS, no monitoring; they open ports for remote connection without using VPNs, and do things that are wrong and dangerous. It almost seems that, because it is “in the cloud”, security is not an issue. And yet, it is as much of an issue as it is for in-house infrastructure, if not more. But since most cloud infrastructure providers do not offer any security, most customers opt for “taking the risk”, or maybe they do not even realize the risk, assuming that the provider has some sort of global security for all their customers.

Data security needs to be regarded as a separate issue because there are things that a firewall and IPS cannot protect from. For example, one issue is access control. Assigning the proper privileges to each user is not a simple task, as it requires a high level of planning. So many administrators take the easy shortcut of assigning too much access to users that do not need it. So you end up inevitably with too many users with too much access — this leads to possibly losing data by errors or omissions, or simply intentionally.

So what do you do? One solution – deploy a logging and monitoring system that will record any activity from the logon to the logout, and will raise alerts when it sees patterns of activity that are unusual.

There is another risk too — when you put data in the cloud, unless it is a private cloud, you are sharing resources with other companies who are using the same server and the same disks. And here lies the key – the disks. Your data is usually written on the same disk with data from other companies.

So now assume that the FBI is investigating one of these companies and obtains a subpoena to impound that disk. First of all, you have just lost your data (OK, you have a copy; you can rebuild everything, not a big deal). But your data has just been “given” to an investigative bureau together with that of a company that is under investigation. Your data is no longer private at that point and anything can happen.

Other questions to consider – do you know where data and the data center is? What if that data is not even in the U.S.? What if you are sending your data to a country that has the right, by its national laws, to take it without any reason? Is it relevant to you? If it isn’t, then don’t worry. But if it is, well, at least make sure that the provider you deal with has data centers only in the U.S.

The bottom line – do your homework first before taking the plunge into the cloud, and of course, feel free to call/email me if you have any questions – happy to be of assistance!