Data security in cloud computing - Part 1: Overview

In contrast to use of a public cloud, maintaining organizational physical control over stored data or data as it traverses internal networks and is processed by on-premises computers does offer potential advantages for security. But the fact is that while many organizations may enforce strict on-premises-only data policies, few organizations actually follow through and implement the broad controls and the disciplined practices that are necessary to achieve full and effective control.

So, additional risks may be present when data doesn't physically exist within the confines of an organization's controlled facility—this is not necessarily the security issue that it may appear to be. To begin, achieving the potential advantages with on-premises data requires that your security strategy and implementation deliver on the promise of better security.

The basic problem is that most organizations are neither qualified to be in the information security business nor are they in that business—they are simply using computers and networks to get their work done! Although secure computing is a desired quality, information security expertise is not a core-competency for most computer users nor is it common in most organizations. Returning to the point:

• Moving data off premises does not necessarily pose new risks, and it may in fact improve your security.

• Entrusting your data to an external custodian may result in better security and may well be more cost effective.

Two examples that underscore this are the commercial service offerings to either store highly sensitive data for disaster recovery or assure the destruction of magnetic media. In both cases, many highly paranoid organizations tightly control how they use these services—but the point is that they use external services, and when they do so, they entrust their data to external custodians.

It is important to state that some kinds of data are simply too sensitive and that the consequence of data exposure is too great for some customers to seriously consider using a public cloud for processing. This applies to any information category that entails national security information or information that is subject to regulatory controls, which cannot yet be met by public target cloud offerings. Likewise, it is unlikely that a well-governed organization would release highly sensitive future product plans to any environment where the organization would be uncertain that the information custodian (the CSP) did not enforce the information owning organization's interests as well as the organization itself would.

In these examples, it is not the case that security needs for these categories can't be met in a public cloud, rather the cost of providing such security assurance is incompatible with the cost model of a public cloud. If a CSP is to meet these needs that would demand additional controls, procedures, and practices that would make the cloud offering noncompetitive for most users. Consequently, where such data security needs prevail, other delivery models (community or private cloud) may be more appropriate. This is depicted in Figure 5.1. Note that this situation is a function of generally available and anticipated offerings in the public cloud space. Quite likely, this will change as security becomes more of a competitive discriminator in cloud computing.

One can easily imagine future high-assurance public clouds that charge more for their service than lower-assurance public clouds do today. We might also expect that some higher-assurance clouds would limit access by selective screening of customers based on entry requirements or regulation. Limiting access to such a cloud would reduce risk—not eliminate it—by limiting access if screening is effective.

Organizational Responsibility: Ownership and Custodianship
While an organization has responsibility for ensuring that their data is properly protected as discussed above, it is often the case that when data resides within premises, appropriate data assurance is not practiced or even understood as a set of actionable requirements. When data is stored with a CSP, the CSP assumes at least partial responsibility (PaaS) if not full responsibility (SaaS) in the role of data custodian. But even with divided responsibilities for data ownership and data custodianship, the data owner does not give up the need for diligence for ensuring that data is properly protected by the custodian.

By the nature of the service offerings, and as depicted in Figure 5.2, a data owning organization can benefit from their CSP having control and responsibility for customer data in the SaaS model. The data owning organization is progressively responsible beginning with PaaS and expanding with IaaS. But appropriate data assurance can entail significant security competence for the owning organization.

Ultimately, risks to data security in clouds are presented to two states of data: data that is at rest (or stored in the cloud) and data that is in motion (or moving into or out of the cloud). Once again, the security triad (confidentiality, integrity, and availability) along with risk tolerance drives the nature of data protection mechanisms, procedures, and processes. The key issue is the exposure that data is subject to in these states.