If your organization is considering use of Infrastructure-as-a-Service (IaaS) from a cloud service provider (CSP), be aware that traditional security measures, such as full drive encryption, may not translate.
Most IaaS rely heavily on server virtualization to achieve the elasticity and rapid deployment we expect from the cloud. But virtualization introduces new technologies and attack surfaces that must be considered from a security perspective. If you are concerned about the privacy of data running in virtual machines (VMs) in the public cloud, there are some basics you need to know.
First of all, VMs are mobile. They are designed to ‘float’ above a hypervisor so loads can be easily balanced across available hardware and processing power. Because of this mobility, many traditional security methods will not work. For instance, say you implement full-disk encryption, but then your CSP moves your VM to new hardware. Be aware that this encryption will not travel. Furthermore, most CSPs will replicate your VMs to ensure availability, so you will have more than one copy of your data, leaving little data footprints as it travels around the CSP’s networks.
In its recent study, the ‘2012 Cost of Cybercrime’, The Ponemon Institute published statistics that showed company insiders were only responsible for a small percentage (less than 10%) of security breaches. However, insider breaches typically took much longer to identify, and cost the company significantly more than a breach from the outside. The reality is that no matter how well you hire, there is still a risk of a rogue administrator accessing information they shouldn’t see.
When you outsource to a CSP, data becomes less accessible to ‘insiders’, and you are forced to place your trust in their IT administrators. By encrypting your data in the operating systems of your VMs, you can ensure that your applications and data remain secure in the hypervisor, all the way through storage and backup, preventing the administrator who runs your VMs from accessing your data at will.
Second, it is absolutely possible that the US government, with authority granted by the Patriot Act, can compel CSPs to turn over client data in accordance with a government investigation. In fact, a study by the law firm Hogan Lovells shows that these access rights were fairly consistent across 10 countries they reviewed. To that end, Google recently published its ‘Transparency Report’ indicating that the company turned over user data in 94% of cases when the US government requested it – also noting there were over 21,000 such requests in 2012.
Google spokespeople indicated that “when possible” they notify data owners upon turning over this data. Yikes! Do you want your data given to anyone without your knowledge and permission? Encryption can help. If you encrypt the data, and you manage the keys (keeping them separate from the data, per best security practices), you will have to be in the loop before your data is exposed to anyone.
Another consideration is that storage is not multi-tenant, so your data will be co-mingled on disks with everyone else’s. In the event that these disks are seized or disposed of, there is no way to segment your data. Some cloud providers do offer encryption for stored data, but be warned that this may not be enough, especially if your data is sensitive or regulated. You must make sure that you control the encryption keys, not the CSP that hosts your data.
A final consideration is this reality: humans make mistakes. Amazon learned this lesson recently when it was discovered that users who misunderstood or misconfigured privacy settings had inadvertently exposed 126 billion files on its S3 cloud.
Simple errors by IT staff can accidentally leave data accessible to unauthorized users. Idaho State University is also very aware, having just paid the Department of Health and Human Services $400,000 to remediate when an administrator left a server firewall disabled, exposing the electronic protected health information (ePHI) of 17,500 people.
The good news among this perilous landscape is that encryption and good key management, when layered with other security technologies like firewalls and access controls, can go a long way toward mitigating these concerns. Look for solutions that are optimized to work in virtualized environments, and can run transparently, without requiring changes to your applications or infrastructure.
Lastly, make sure that you choose a CSP that is willing to share the security burden with you. Most SLAs don’t even mention security, so you will definitely want to identify which elements they will maintain, and what you will be responsible for.
Bill Hackenberger is a 30+ year veteran of enterprise security and CEO of HighCloud Security, a software company specializing in addressing unique data privacy and encryption needs within private, hybrid and public clouds.