When it comes to Cloud Security, the first thing that comes into everyone’s mind is that everything running on someone else’s data centre and how their only asset, which is their data can be kept secure there. This has pretty much driven the threat modelling for Cloud security including everything in transit and the rest are to be encrypted with your own key, added layers of network flow controls, identity protection and continuous compliance monitoring in other words defence in depth.
It sounds like a perfect security control and no one can access the data, yes, no one can access the data including the ones who legitimately need to access, update and delete! Then how do we know a person is a known person, for their role they need to have access to a particular dataset and how do we track what, when and why they access the data?
You may feel like I am trying to teach basic data security, yes in a way, it’s right, but it’s not easy to get basic data security right, let me tell you a story.
In those days people used to keep cash and jewellery at home before banks introduced vaults. Once people started using vaults in a bank, they occasionally visit the bank proof their identity, record their visit and get access to their valuables. When they take the valuables they put them into some protected briefcase, wallet or portable vault in transit and do the same at rest in their home. These are only retrieved when there is a need once the need is achieved these are placed back to where they belong in either short-term or long-term secure storage.
In this story, people never leave their valuables all over everywhere or even anywhere in their own house that’s seen or accessible by anyone, people were quite mature in terms of their awareness of threats and how to protect the valuables in transit and at rest when it comes to their own valuables.
Now if we move from valuables to sensitive data containing an identity document, such as a passport, people still keep them securely but not necessarily in a vault and may casually use those in public places. There is a reason for it, unlike valuables, the owner of the passport only can use it and no one else can use it even if they steal it. In other words, there is another factor to validate the authority to use the passport at the time of use and every time it’s been used.
If we think about the data protection provided to the passport, just because it cannot be used by someone we don’t leave for anyone to look at it as the information on the passport is still sensitive, but the level of protection is not the same as other valuables again because the passport only can be used by the owner and this needs to be validated for every single use.
Likewise on Cloud, we won’t leave the sensitive data open to the internet, but we do have to make sure the data can be only used by the owner and parts of the data accessible by others as delegated by the owner. Like the passport, whenever someone wanted to access the data there should be a validation with audit events and at any given time the owner of the data can revoke the access delegation.
The Cloud environment is perceived to be insecure by nature as it’s someone else data centre and someone else physically has access to the storage devices holding the customer data, the data security services, processes and maturity well above how it has ever been handled in an on-premise data centre or even in a corporate office.
These days, where there is a data breach it’s due to immature practices the customers adopted from on-premise data centres or corporate offices, rarely been the Cloud provided themselves to become responsible for this.
But it takes many years to move data from an on-premise or corporate environment to a Cloud and most of the time, the majority of the data is retained back on-premise mainly due to the perceived risk of Cloud being always higher than on-premise.
Now let’s take a look at some of the control one may introduce in Cloud to keep their data secure.
- Encrypt and Bring Your Own key – This is 101 of Cloud data security, otherwise probably not consider Cloud migration at all.
- The key is protected by access policies and mandated to have another factor if it’s for human access, just like how a passport works.
- If it’s for an application or a cloud resource, the permission is only added for the lifetime of the application or the cloud resource and this is done by automation.
- Any automation that alters the access policies of the encryption key must be controlled by approval.
- All access to the key, data and approvals are to be audited.
- All access including the access to the root of the trust must be able to be revoked, when this happens, it requires a break-glass process with one-time elevated access that needs to be approved.
Wow! yes, it’s not easy to implement Cloud data security, but once it’s implemented and proven to be consistent with the right level of automation, it’s almost impossible to penetrate.
There is a fundamental principle for Cloud data security, it’s identity-based as there is no boundary for the network to trust and you should control the root of trust and the encryption key. Almost all Cloud data breaches occur by penetrating a trust application or a cloud resource, which is exposed, which may not be the failure of the Cloud data security, but failure of the respective affected application or cloud resource.
Hence there should be sufficient controls before an application or a cloud resource can be trusted, hence permitted to access a certain dataset, even better there is an access challenge every time and only temporary access is granted based on the source interacting with the application or cloud resource.
Yes, again it’s not easy to establish a mature Cloud data security process, but if it’s consistently established with the right level of automation, you probably can provide Cloud data security as a service!
Now let’s take a pause on Cloud and move back on-premise well to the ground!
let’s talk about the on-premise data centre, it’s an on-premise data centre, but is it your data centre? Well, no, as you know, most businesses using data centres don’t have running data centres as their business. So it mostly belongs to someone else and there is a contractual arrangement standing in between your data and your data centre supplier. I am not going to get into how we know they can’t access your data and if it ever occurs how do you know when what and why they accessed it, as I am pretty sure most of you have a smile as your read this 🙂
I also hear some of you saying, you know not many get into the data centre and there will be physical access controls, biometric controls and surveillance cameras operating with guards manning the data centres. Yes, I hear you, but don’t we have on-premise data centre breaches at all? They are not reported like how Cloud breaches are reported. Most of the time, when on-premise data centre breaches are involved, the responsibility is with the operators’ own control failure rather than the customer’s control failure.
This responsibility difference is one of the key factors for slowness in Cloud migration as if you can always find data centre operator responsible as far as if you keep the data on-premise, why even bother you migrated to Cloud that also for you to become responsible? Yes, this is again a perceived responsibility, I am not sure how clearly it’s stated in any on-premise data centre services agreement that’s the customer data is the responsibility of the operator rather than the customer? Really, probably worth reading again!
Now let’s move into your corporate office or in general your company premises. As you know the level of access is not the same as that of your on-premise data centres, probably doesn’t even require biometric verification and could even have back doors for various suppliers to come in and so on. But mostly there will be good controls around what computers are allowed to be connected to your office with multifactor to login to your company account.
So this creates a perceived trust on who can access your company network, which is most likely going to be a staff member and depends on how many staff in your company or allowed to be in that network, they all are in a flat network of trust!
Normally human beings or in general, any living being like to be in a secure environment and once they are in a secure environment they like to be a bit more independent, do what they think is right, like explore things and share without a second thought is not even an issue.
If you take the pre-Covid-19 scenario, everyone can handshake, everyone can hug each other and sometimes even share food with strangers and no one sees any issues until Covid-19 become a thing!
Yes, it has not only shaken the world but has changed the mindset of the people, no one can live in a secure environment in the context of Covid-19 and people used to adopt living in an insecure environment and trust no one including their friends and not only that, even themselves! Yes, no handshake, facemask and even sanitise their own hands before using it. Covid-19 has changed the way humans perceived a secure environment as nothing secure. People adopted the new way of life for over many years and probably it’s the life going to be forever!
Let’s go back to your company office, people are still in a trust mindset within the company mindset, share data and sometimes even share or keep it in a shared drive, which is pretty much open to the entire company network. All of a sudden one of the staff members got an email, the staff was really curious to see the attachment, opened it up and all of a sudden before the staff realised everything stored in the staff’s machine as well as in the shared drive encrypted with hacker’s key and hacker asking for a ransom to release the data or forget about it!
The moral of this story, you probably cannot trust anything including your own inbox regardless of whether you are using Cloud or an on-premise data centre. Data is your asset and it’s your only asset, so don’t leave it everywhere or even anywhere that’s open to someone else even if it’s a staff member or even yourself.
In other words, treat data as valuable, only take it out of the vault when you need it and put it back in the vault when you don’t need it and when you need it next time you are supposed to prove who you are and the owner of the data should be able to see who, what and why their data been used for every single use.
The companies already established this kind of matured process for data governance in their company environment, they have already changed the mindset of the people and when the data goes to Cloud, the people’s mindset doesn’t need any more changes as they already have established the data governance maturity that’s required in Cloud.
On the other side, if you are two clicks away from a data breach, probably better to implement a matured data governance process within your company environment before even planning about Cloud migration.
Your transformation does not necessarily have to wait for Cloud migration, it can begin now, but if you are not willing to go through the transformation, you are just accepting the fact, that your data breach is clearly two clicks away by any one of your staff members!
New Zealand adopted a position in the early stage of Covid-19 lockdown, treat as yourself got Covid-19 and behave responsibly! When you get Covid-19, you will stay away from others and implement your own self-quarantine. This is the mindset you need to create regardless of whether you are in the company network or Cloud, nothing to be trusted including yourself. Remember, you are represented by your account, which could be hijacked by anyone, so technically physically you are not representing yourself, it’s a digital representation of yourself, how can you trust it?
Disclaimer
This article was produced in my own capacity and experience so it could be beneficial for others; no association could be assumed with the organisation that I am working for now or the organisations that worked in past.
Designed 4 Cloud Limited 