On the 11/29 Virtualization Security Podcast Omar Khawaja the global managing principle at Verizon Terremark Security Solutions joined us to discuss Verizon’s 12 step program for entering the cloud (found on slideshare). This 12 step program concentrates on the IT and Security admins working together with the business to identify all types of data that could be placed into the cloud, and to classify that data. Once this is complete, the next steps are to understand the compliance and security required to protect the data and to access the data. It is a Data Centric approach to moving to the cloud.
And not an approach we have not discussed before, but now there are 12 steps to follow by all who want to move to the cloud created by Terremark. Terremark as a cloud provider is one of the ones on the leading edge of cloud security, and they will say that if your data requires encryption at all levels (eyes only data), or requires certain access requirements, that the cloud may not be for that data. In reality, entry to the cloud is about two things:
- Data Security (Confidentiality (encryption, access control), Integrity (digital signatures), and Availability
- Data Access (Governance (how the data is accessed), Risk (risk measurement if exposure of the data), Compliance (regulations))
Both Data Access and Data Security must be met with compensating controls within the cloud, either provided by the cloud or by the tenant. In most cases this must be provided by the tenant as visibility within clouds is at an all time low.
All of these 12 steps pertain to the IT and Security administrators, however they do not discuss the rank and file of an organization. I would be willing to go out on the limb and say 95% of all employees use the cloud in some fashion. Whether that is iCloud (or equivalents), Google (Mail, Docs, search), or DropBox. They use these tools as a matter of convenience to get the job done. However, the rank and file may not be thinking about the business (and security) consequences of using these tools. I have heard of the following being placed into the cloud:
- Intellectual Property (documents about upcoming products) — Google Mail and Docs
- Phone numbers for various executives internal phone numbers (usually internal use only) — Google Docs, Dropbox, and iCloud
- Customer Contracts and Lists (confidential information) — Google Mail, Dropbox
The list is fairly endless. Now why do people use these tools? Because they are convenient, easy, and always available. Now we are trying to close the barn door after the horse has already left the building. Perhaps instead it is time to find all our data, which is a daunting task.
As individual contributors, security professionals, executives, we need to realize that once information is on the Internet in some form or another, the data can never be redacted. It is there for good, so we need to be intelligent about the data put within the cloud. What is the business consequence of using various cloud services as an individual to meet business goals?
There is no longer a center for our data, we are the center of our data. This will cause various data sores as data gravitates to certain locations within clouds. The data sore we have at the moment is managing our input to the cloud safely. We have failed miserably and there is no way to redact the data and move on from there. We need to accept this and move on to protect new data and change our ways.
Yes, we need a 12 step program to help us!