In contrast to use of a public cloud, maintaining organizational physical control over stored data or data as it traverses internal networks and is processed by on-premises computers does offer potential advantages for security. But the fact is that while many organizations may enforce strict on-premises-only data policies, few organizations actually follow through and implement the broad controls and the disciplined practices that are necessary to achieve full and effective control.
So, additional risks may be present when data doesn't physically exist within the confines of an organization's controlled facility—this is not necessarily the security issue that it may appear to be. To begin, achieving the potential advantages with on-premises data requires that your security strategy and implementation deliver on the promise of better security.
The basic problem is that most organizations are neither qualified to be in the information security business nor are they in that business—they are simply using computers and networks to get their work done! Although secure computing is a desired quality, information security expertise is not a core-competency for most computer users nor is it common in most organizations. Returning to the point:
- Moving data off premises does not necessarily pose new risks, and it may in fact improve your security.
- Entrusting your data to an external custodian may result in better security and may well be more cost effective.
Two examples that underscore this are the commercial service offerings to either store highly sensitive data for disaster recovery or assure the destruction of magnetic media. In both cases, many highly paranoid organizations tightly control how they use these services—but the point is that they use external services, and when they do so, they entrust their data to external custodians.
It is important to state that some kinds of data are simply too sensitive and that the consequence of data exposure is too great for some customers to seriously consider using a public cloud for processing. This applies to any information category that entails national security information or information that is subject to regulatory controls, which cannot yet be met by public target cloud offerings. Likewise, it is unlikely that a well-governed organization would release highly sensitive future product plans to any environment where the organization would be uncertain that the information custodian (the CSP) did not enforce the information owning organization's interests as well as the organization itself would.
Regardless of whether you are backing up data for a cloud or in a cloud, you should at a minimum retain two copies of a backup. At least one of those copies should be located where it is not subject to destruction at the same time that your other copy is located. At minimum, keep it in another room, or better yet store it off-site.
By example, when backing up a personal computer, a best practice is to have two physically separate backup devices to which you alternate backups to. Affix a label to these two devices, for instance: Laptop Backup A and Laptop Backup B. Over time, as you make each backup, scratch out the previous date on that label and write the current date on it. In this manner, you will always have two backups, one older than the other.
Backup can take several forms, most simply explained you can either perform a full backup of a file system or source disk, you can backup selected directories, or you can restrict your backups to only those files that changed since the last backup. The utility of these varies according to your needs and the time you have to perform a backup. A full disk backup takes longest, but such a backup can also be made to allow booting from it. A full disk backup will simplify recovery from a catastrophic disk failure, whereas a backup of selected directories will both take the least amount of time to create and offer rapid access to a backup for an inadvertently deleted file.
But even a backup can fail when you need it the most, so an even better practice would be to use a cloud-based backup service in addition to your on-site backups. The cost and ease of using such cloud services makes their use very practical if you have reliable network connectivity. Many of these services support encryption of your data before it is sent to the cloud backup service, greatly reducing concern over using such a facility for any but your most sensitive personal information.
In these examples, it is not the case that security needs for these categories can't be met in a public cloud, rather the cost of providing such security assurance is incompatible with the cost model of a public cloud. If a CSP is to meet these needs that would demand additional controls, procedures, and practices that would make the cloud offering noncompetitive for most users. Consequently, where such data security needs prevail, other delivery models (community or private cloud) may be more appropriate. This is depicted in Figure 5.1. Note that this situation is a function of generally available and anticipated offerings in the public cloud space. Quite likely, this will change as security becomes more of a competitive discriminator in cloud computing.
FIGURE 5.1 Meeting security needs: public, community, and private clouds.
One can easily imagine future high-assurance public clouds that charge more for their service than lower-assurance public clouds do today. We might also expect that some higher-assurance clouds would limit access by selective screening of customers based on entry requirements or regulation. Limiting access to such a cloud would reduce risk—not eliminate it—by limiting access if screening is effective.
Organizational Responsibility: Ownership and Custodianship
While an organization has responsibility for ensuring that their data is properly protected as discussed above, it is often the case that when data resides within premises, appropriate data assurance is not practiced or even understood as a set of actionable requirements. When data is stored with a CSP, the CSP assumes at least partial responsibility (PaaS) if not full responsibility (SaaS) in the role of data custodian. But even with divided responsibilities for data ownership and data custodianship, the data owner does not give up the need for diligence for ensuring that data is properly protected by the custodian.
By the nature of the service offerings, and as depicted in Figure 5.2, a data owning organization can benefit from their CSP having control and responsibility for customer data in the SaaS model. The data owning organization is progressively responsible beginning with PaaS and expanding with IaaS. But appropriate data assurance can entail significant security competence for the owning organization.
FIGURE 5.2 Owning organization has increasing control and responsibility over data.
Ultimately, risks to data security in clouds are presented to two states of data: data that is at rest (or stored in the cloud) and data that is in motion (or moving into or out of the cloud). Once again, the security triad (confidentiality, integrity, and availability) along with risk tolerance drives the nature of data protection mechanisms, procedures, and processes. The key issue is the exposure that data is subject to in these states.