Whether you’re a business with sensitive data that requires organization or an individual with an affinity for programs like iCloud and Dropbox, avoiding “the cloud” seems nearly impossible these days. But using cloud security — a remote, web-based data storage system — comes with just as many risks as it does benefits.
“You see it on the news every day: constant attacks on people’s networks and information systems,” says Lonny Anderson, chief information officer of the National Security Agency (NSA).
Anderson and his team at the NSA, the intelligence agency responsible for securing data for the U.S. Department of Defense and its other government agencies and allies, say cloud security systems may raise concerns. After all, the No. 1 question their team gets about the system centers on whether the cloud is even safe.
Looking for industry-specific certification labels, such as the Cloud Security Alliance, can help one determine whether a given cloud system is effective, but taking an additional few simple steps can help minimize potential hacking, phishing, and the like within the model.
“We actually think that moving to the cloud will be able to add and increase security compared to what we have today,” Anderson says. “We’re moving away from a system-centric architecture to a data-centric architecture.”
Work with your provider
Neal Ziring, technical director of information assurance for the NSA, pointed out that making one’s security needs clear at the onset of a cloud computing contract is essential. Knowing who’s responsible for what, especially in the event of a hack, is equally important.
Breaking things down into two buckets — what you expect the cloud provider to do and what you still expect to do for yourself, and putting that in writing — may be the simplest way to go about dividing responsibility.
“Certain things you have to trust them for so that if a problem occurs, it can’t automatically propagate across a boundary. In the Department of Defense, we’re thinking seriously about that
— how can we have a nice clean point or zone of control from what we choose to keep inside the department, and what do we choose to put on a cloud service?” Ziring says.
Anderson puts it simply: “Find a provider that can meet your needs. The proof is in the pudding, if you will.”
In a cloud environment, being explicit about the rules of data can also help ensure safety, says David Hurry, a cloud strategist for the NSA. Tagging data that places it in a certain rack offers one way to keep information organized.
“In this model, it’s about making sure that those rules are applied in a way that we can use each piece of data in the way that it’s intended,” Hurry says.
Adopting a cloud security model can change the way businesses operate. Namely, recognizing that in a cloud system, organizing items not only based on their physical nature but also on their function is crucial.
“In a cloud, you have to use other mechanisms to separate [data],” Ziring says.
Review your contract
What information gets logged and what doesn’t? How long is information retained? Who gets to share and see what data, including passwords? What protection is in place, and how is the person controlling that data being monitored? That’s just a handful of questions that should be answered in a cloud security contract. Having a crisis control plan of sorts for when a data breach may occur, and ensuring that notifications are made in a preset manner, is another area to consider, Anderson says.
Know also how data is pulled and purged from stores, and whether that can be done partially as well as fully, Hurry notes. In addition, look for the word “lock in” in cloud security contracts. Sometimes, in the event of switching providers, the first provider may charge a fee to regain your data, but that shouldn’t be the case, Ziring says.
“For individual cloud users, most critical is practicing good security hygiene on the systems under your control and the cloud services you employ,” Ziring says. “Very few will protect you from your own mistakes.”
Using cloud service for storing data for what it’s intended is an easy way to do so — if it’s a service for file-sharing with friends, like Dropbox, don’t share sensitive financial information.
Encrypting data, and knowing what type of encryption system is being used, may be the future of cloud security, experts say.
However, “If [data is] encrypted but anyone can access it, it’s not protected,” Ziring says. “How are they erased, what are the access control strategies, and who are the key managers? Under what circumstances does data get decrypted? There’s more to protecting data than keeping it confidential: You have to make sure it hasn’t been altered.”
Hurry adds that encryption is only part of the larger security model that individuals and companies can use. “[Encryption] alone won’t be sufficient,” he says. “It offers strength, but it’s how you use it and where you put it and manage it that matters.”