Managing Data Security in the Cloud
Dropbox is just the latest example of data not being quite as secure in the cloud as you might think.
Only it isn't better because on-premise data centers cost too much and aren't necessarily one whit more secure. Why is that? Because the base problems do not change. Whether in the cloud or on-premise, a data center is a data center is a data center. And wherever that data center resides, there too are people who operate and maintain it and laws that hover over it. Therefore, people problems, technical security issues and governance challenges exist in every data center regardless of its physical address.
The brouhaha surrounding Dropbox put a fine point on this issue. A security and privacy researcher named Christopher Soghoian filed a complaint with the FTC alleging the cloud data storage company deceived consumers about the level of encryption security it offers. Soghoian, no stranger to security issues given he's a graduate fellow at the Center for Applied Cybersecurity Research, and a PhD candidate in the School of Informatics and Computing at Indiana University, said that while Dropbox does encrypt every file it stores, employees can decrypt it. In his mind at least this amounts to no encryption at all. He says the deception infringes on Section 5 of the Federal Trade Commission Act.
Officials at Dropbox, however, are crying foul.
The company says it removes encryption from files only when they are legally required to provide data to law enforcement. And that is only after its own legal team vets the request or demand. To leave the files encrypted and unreadable would, in effect, be a failure to comply with the law.
"Just so you know, we don't get very many of those requests -- about one a month over the past year for our more than 25 million users. That's fewer than one in a million accounts," reads the company's blog post.
Dropbox also informs its customers when it receives such requests; if the law allows the company to give notice. It is important to note that the Patriot Act allows law enforcement to gag companies about such searches, however, so there is no real way to know how many files have been viewed by law enforcement at Dropbox or any other company. Indeed, any company is expected to release such files on-demand without a warrant or cause. That means even if you kept your data on premises, it is still subject to such searches as is any data pertaining to your company in any other company's database. Security and privacy issues, therefore, extend well beyond the walls of your user agreement or SLA.
However, that does not in any way diminish the dangers posed by employees of a cloud provider, or your own employees for that matter, in having access to decryption keys.
"Cloud security is as much about protecting against potential insider malice, mistake or misuse as it is about protecting against outside hack or breach," said Tim Brown, chief security architect at CA Technologies. "Organizations need to be concerned about the IT staff members operating a public cloud as well as their own cloud users and what they do with the information they access in the cloud."
Indeed, security in a cloud environment is a shared responsibility by both the users and the providers. There are multiple things from a security perspective that a cloud consumer should do before moving to the cloud, said Brown.
- Make sure you first evaluate the provider themselves.
- Evaluate the security of the cloud services. For this, demand transparency. This runs wide and deep, ranging from closely scrutinizing contracts, SLA's, reporting, monitoring, disaster recovery plans, and breach/vulnerability responses, to knowing what controls the provider has in place for managing their IT staff. You need to know how the provider is managing its privileged users, their access and what they do can do with that access.
- Don't compromise your security profile as you move to the cloud. Make sure you work with the cloud vendor to reach an acceptable level of risk.
The best way to protect your data from warrantless searches and data breeches is to encrypt it before you store it in the cloud. Let the cloud provider's encryption be a second layer of protection rather than your primary defense. Even then, double check the provider's entire security scheme before you commit.
"Encryption, along with a multi-layered security approach that includes tight access controls, strong separation of duties, secure key stores and centralized key management, provides a safe framework for data protection and governance in both public and private clouds as well as hybrid clouds," said Gretchen Hellman, VP of Marketing and Product Management for Vormetric, a data security and encryption software company.
A prolific and versatile writer, Pam Baker's published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, NY Times, and Knight-Ridder/McClatchy newspapers. She has also authored several analytical studies on technology and eight books. Baker also wrote and produced an award-winning documentary on paper-making. She is a member of the National Press Club (NPC), Society of Professional Journalists (SPJ), and the Internet Press Guild (IPG).