Comment: Tackling Data Protection Concerns on Public Cloud Services

One of the key questions CIOs and IT managers must ask themselves: How do you ensure separation of your data from other data stored in a multitenant cloud environment?
One of the key questions CIOs and IT managers must ask themselves: How do you ensure separation of your data from other data stored in a multitenant cloud environment?
Mike Smart, SafeNet
Mike Smart, SafeNet

Businesses looking to move their datacenters to the cloud are faced with significant security concerns around data governance, controlling access to critical applications and complying with security regulations across different geographies.

These challenges vary depending on the adopted cloud service model. However, embedding trust in the cloud requires a data-centric approach that addresses the main security issues and works to eliminate the vulnerabilities in the information lifecycle chain.

To achieve this, CIOs and IT managers need to make important decisions about their cloud security strategy.For example, how do you ensure separation of your data from other data stored in a multitenant cloud environment? How do you separate your data from the cloud service provider’s administration team? How do you address security vulnerabilities of virtual data storage machines and control the access to sensitive data and applications in the cloud? Another major concern for CIOs is limiting the damage from potential data breaches and preventing malicious application usage, as well as data misuse by privileged administrative users.

All these issues can be entirely or partially addressed by data encryption. Encrypting valuable information provides an effective separation between other data stored in the same cloud, and isolation from the system that it resides on. This is the best way to prevent data mingling and minimize the potential damage of data leakage.

Encrypting only the virtual instance, however, is not sufficient to safeguard the data from being compromised. A more comprehensive approach is necessary to ensure data is protected as it progresses – from the moment of data generation, to protecting the virtual storage and the processing layer of data exchange.

Continued security breaches at large commercial and government organizations clearly show that not securing data at all points in its lifecycle exposes businesses to significant risk of data breaches and reputational damage.

There is no excuse for organizations not to encrypt all virtual instances, as the solutions for this are already available and proven to work. Encrypting virtual machines and storage volumes in remote cloud locations is a great way to ensure data separation in a multi-tenant environment and reduce the risk of data misuse by administrative users.

Nonetheless, even encrypted data can be compromised if the encryption keys fall into the hands of cybercriminals. To reduce the risk of data misuse, organizations need to ensure that the encryption keys are stored at a safe location, preferably in a hardware-based repository outside the cloud server. This will ensure compromised data cannot be read or misused by cybercriminals.

Another great advantage of hardware key storage and data encryption is that it allows you to move data anywhere in the cloud while maintaining control over who views the data. This is achieved through effective key release policy that ensures only authorized users and applications have access to the encryption keys. Such an approach places the control of access to cloud-based data in the hands of businesses and makes data unviewable by law enforcement or any other third parties who do not have access to the encryption keys.

Additional control and visibility could be achieved through a centralized authentication policy that allows CIOs to ensure that only the right people, resources or applications are accessing critical information. However, organisations often need to rely on third-party vendors to manage their authentication solutions, which often complicates the process and limits their control over data access management.

By putting authentication management in the hands of businesses, rather than third-party vendors, CIOs will be able to reduce IT costs and customize authentication solutions to specific risk levels and use cases without unnecessary complications for customers and IT staff.

Such an approach will also ease the implementation of consistent compliance management policies in the cloud. This is particularly important because cloud-based data is subject to a complex regulatory ecosystem that varies depending on geography and industry sectors.

By using end-to-end encryption, strong authentication and a centralized key management policy, businesses can ensure they are applying the best security practices across their organization. This will leave little space for non-compliance with security standards and regulations and will ensure that all valuable data is protected, wherever it resides.

As a product and solutions director, Mike Smart is responsible for driving SafeNet’s data protection business across EMEA. He has a history of introducing new technologies and solutions to the market and was at the forefront of driving awareness in areas such as cloud security solutions, information leakage detection and prevention, and unified threat management.

Prior to SafeNet, Smart worked at security and infrastructure companies such as McAfee, where he took the leadership for the development of the messaging of the Global Threat Intelligence offering, as well as Enterprise Security. He also held roles at Novell, SonicWALL and CodeGreen. 

What’s hot on Infosecurity Magazine?