According to recent Business Technographics data, half of US enterprise technology management professionals report that there is 1.) no way to gain a single view of status and availability across their portfolio of cloud services, 2.) that they don’t have a clear way to assess the risk of using a third-party public as-a-service offering, and/or 3.) that they have no way to manage how providers handle their data.
An interesting debate is ensuing regarding how to best protect cloud data, given the market landscape. So far two modalities are emerging:
·A. Inserting in-line encryption between the enterprise and the SaaS provider that encrypts and/or tokenizes all data before it goes to the cloud to ensure safety interoperating within public cloud systems.
·B. The human-firewall model, in which IT closely monitors activity with context/content analytics and anomaly detection tools.
The truth lies somewhere between the two. By carefully applying Forrester’s data security and control framework, clients should incrementally encrypt data deemed sensitive to compliance or regulation, such as credit card and Social Security numbers, and closely monitor all activity across users and cloud applications.
Yesterday, WikiLeaksreleased emails taken in the highly-publicized Stratfordata breach. While many of the emails are innocuous, such as accusations regarding a stolen lunch from the company refrigerator; others are potentially highly embarrassing to both Stratfor and their corporate clients. The emails reveal some messy corporate spycraft that is usually seen in the movies and rarely is illumined in real life. For example, one email suggests that Stratfor is working on behalf of Coca-Cola to uncover information to determine if PETA was planning on disrupting the 2010 Vancouver Olympic Games.
As much as the cloud computing model makes sense to me, my security sensibilities cry out about information risk every time I start to consider actual implementation for data of value across an enterprise.
A model which has always made sense has been to place only encrypted data in the cloud, holding the keys locally. This solution gives you control over data access, bypassing any Patriot Act concerns, but allows realization of the benefits of a shared, cloud infrastructure. It has always been recognized, however, that this solution has a number of drawbacks, such as:
The immense corporate sensitivity of the encryption keys utilised. These keys become essential to doing business. If they are corrupted, lost or held hostage by hacktivists, for example, then the organization stops dead in the water.
The difficulty of creating indexes, searching and applying transactions across encrypted data stores. If the concept is to keep the keys away from the cloud environment then actions such as indexing, searching or running database functions become very challenging.