When you read many blogs and articles on cloud security, writers such as myself often mention jurisdictional issues as a big problem. Nor is the ability to Audit clouds the only problem. Yet both of these are huge issues for clouds today, but fundamentally, is the cloud flawed from a security point of view or are there plenty of security mechanisms available?
The key to cloud security is to consider your data whether that data is in the form of a virtual machine, database entries, files, or short bursts of text that end up in the cloud. So how does one protect data within the cloud, is the real concern. Jurisdictional issues pertain to where your data resides and audit issues pertain to compliance, the real question is can the confidentiality, integrity, and availability of your data be maintained. While the latest virtualization security podcast covered compliance (video to right), we need to also consider the protections on our data. Which implies we need to fully understand our data.
But the key is what aspect of the data should we understand?
- We should understand the classification of the data
- We should understand the risk associated with the data being leaked out
- We should understand the impact associated with the data being unavailable
- We should understand the gross structure of the data
There are many other considerations as well, but these I believe at the main ones we need to consider.
The last about the structure of the data is rather interesting as we do not need to understand the intricacies of the data structure, but instead the gross level such as the type of data (virtual disk, database, multi-host data, etc.) as this will tell us which security mechanisms work best and which do not. We also need to understand the impact associated with the data being unavailable, as such we may need to concentrate more on data protection, business continuity over other aspects of security. We need to fully understand the risk associated with the data being leaked, which will also govern which security mechanisms we use. The last item, is classification of the data, and that will tell us another set of tools to use for security.
So everything boils down to protecting the data, not any one construct but all constructs that comprise the data. The requirement to understand the data narrows down the tools required to protect that data. Our tools range from encryption through to firewall controls with a healthy dose of monitoring for anti-malware, anti-virus, and data loss prevention. What it boils down to, is there enough security within the cloud to provide us enough security mechanisms to protect our data using mechanisms that meet the requirements the data drives?
In some ways, I think there is, in others I think there are not. I know the it depends answer is prevalent in this field, but let us delve into this a bit more and look at confidentiality, integrity, and availability.
Can a cloud provide availability? Of course, if they replicate the data between their various data centers. If you require this level of service, you pay a little extra and viola it is grafted onto your cloud instance. In addition, you can regularly pull your data off the cloud and store it locally. Those local data instances, could then be used as part of business continuity and disaster recovery plans.
Can the cloud provide integrity? The cloud by itself cannot but the you can digitally sign all data before it enters the cloud, as well as download and verify your data on a regular basis. Digital signatures are best, but other mechanisms are available. Some clouds, Google Docs, allow you to use digital signing technologies without the bothersome need to download, sign, and then upload a document. Verification, however is another matter.
Can the cloud provide confidentiality? This is where I have the biggest issues. I can definitely encrypt some of my data before it enters the cloud, and I can provide data at rest encryption within a cloud (AFORE Systems). But what eludes most clouds is data in motion encryption. Given this, highly confidential data needs to be encrypted or sanitized before entering the cloud currently.
Trust is a big factor with the cloud as well, you need to TRUST that the cloud administrators will not peer into, modify, or delete your data either inadvertently or maliciously.
Can we monitor the cloud using our security tools? Yes, this can occur depending on the cloud. IaaS and PaaS have definitive mechanisms to monitor themselves, but SaaS clouds are a bit more closed and we are dependent on the mechanisms built into the software. Many clouds include tools from HyTrust, AFORE, Trend Micro, Catbird, Vyatta, and others. As such their dashboards and reports may be available to their tenants. In addition, these can be implemented within your own Cloud Instance.
Bottom line? For some data sets, the cloud is just fine. For others that require data encryption at all levels there is still a bit more work to go. But we are much closer than we were before. The technology exists, but we still have to trust for some things.
* The travelogue video was produced by Lars Troen
Very nice post, and increasingly relevant, particularly in light of the recently proposed EU changes regarding privacy.
One important nit I’d like to pick, however. You state:
Jurisdictional issues pertain to where your data resides and audit issues pertain to compliance, the real question is can the confidentiality, integrity, and availability of your data be maintained.
I’ve been engaged for the past few years in issues surrounding jurisdiction, and note that it’s NOT only where your data resides. We tend to conflate the notion of jurisdiction with geography (the ‘where’) out of old habits. Jurisdiction has to do with who or what constraints and rights are in effect for the owner of data (independent of location) as well as the ‘steward’ of the data (e.g. the service provider to which the owner has delegated care of the data). While geographic boundaries may play a part, we can clearly see that, as far as the US is concerned, the provenance of the data (i.e. it’s origin, ownership and the stewardship) have erased the notion of physical location of where a datum resides as the basis on which to determine whether it can be pursued under the Patriot Act.
There are also aspects of jurisdiction and compliance that transcend national boundaries and governmental constraints. Cooperative arrangements, many of which are entered into by financial institutions with global presence, have been established for the treatment and handling of data that are independent of location, and much more focused on data provenance and stewardship.
I realize that this might be considered a ‘nit’ that I’m picking, but it has importance for both the providers of Infrastructure as a Service (with respect to jurisdictional impact on data and on processing / transactions), and the selections that their customers make. The problem becomes still more complex when multiple and potentially contradictory jurisdictions can make claims on the governance of cloud-resident data or transactions.
It’s not an easy issue to define, and a really tough issue to address with technology. IMHO it represents a requirement for which consumers of IaaS and cloud storage in particular will need solutions that (a) are capable of being addressed through the establishment of policy-based management and (b) require infrastructure services to generate and respect meta-data that establishes physical location AND jurisdiction.
– Rich Miller
@rhm2k
Hello Rich,
I agree that the definition of Jurisdiction is somewhat up in the air and depends much more than just location. However, location is nearly always included in current discussions and is a pretty good starting point. Stewardship is definitely one question, but according to current law where does the steward come in during standard network traffic to and from the stewards location? I.e. are the stewards responsible if traffic is suddenly routed through another foreign entity with no treaty with the steward’s current country?
Since Jurisdiction breaks down to treaties can we ever fully remove location from the discussion?
Best regards,
Edward Haletky