With all the high-profile data breaches in the headlines over the last couple years, many people wonder if they can trust their data if it lives in the cloud. Of course, anytime you use an Internet or Phone based app, data is accessed from Cloud infrastructure. The conversation of data security in the cloud explains how the actual web or mobile app provider is accountable for the data protection, regardless of the Cloud platform.
The burden of protection and accountability is assumed by the software architecture team within the company that builds and manages critical data. To ensure a high level of accountability, there are many regulatory measures that must be implemented within the IT operation. The main framework is known as the CIA Triad - where data must maintain a specific level of Confidentiality, Integrity and Availability. This blog highlights some of the practices companies leverage to maintain these measures.
A common misconception in Cloud computing is that data is not secure when hosted on 3rd party hardware. While there have been numerous stories in the headlines exposing data breaches, the truth is that Cloud computing can be even more secure as opposed to when you host it in your own environment. Regardless of the hardware and Cloud infrastructure, the software that a company delivers must maintain validated checks and balances to prove that data is safe.
Keeping Cloud Computing Confidential
Encryption is the means for which data privacy is protected and insured, modern encryption technologies are very mature. Vendors that provide cloud storage have security measures built into the platform that help protect the data. One example of this is having encryption on the data “at rest,” something a traditional file system would not have without additional software. This means that data in encrypted, while sitting on a server, and no one in the outside world can make heads or tails from it.
When using Cloud apps, in theory, your data should be protected from unauthorized access. This is because the online software provider uses encrypted data and enforces security controls over the infrastructure. There may also be situations where you want to make data available to certain personnel under certain circumstances – providers must be able to do this securely. In the business world, all Cloud providers are subject to the compliance regulations that are dictated by their customers. If they enter into an agreement, they must able to validate that secure measures are followed, and all breaches or losses must be disclosed.
Data breaches inevitably result in diminished trust by customers. In one of the largest breaches of payment card data ever, cyber-criminals stole over 40 million customer credit and debit card numbers from Target. The breach led customers to stray away from Target stores and led to a loss of business for the company, which ultimately impacted the company’s revenue. It is important to note that Target was collecting their customer's data and storing it within their own environments. They were not able to uncover the vulnerabilities that led to the breach.
When companies scale their environment to the size of an enterprise like Target (or other high profile breaches), they must have a solid foundation with layers of management and software. A critical cyber security operation should be managed 24x7x365 with human eyeballs and have data coming from as many points as possible.
Maintaining Data Integrity in the Cloud
Data integrity can be defined as protecting data from unauthorized modification or deletion. An example of this is easily understood if you think about online banking. If specific administrators have access to bank accounts, how are they held accountable and protect the bank from illegal changes? There must be a system of permissions and logs that can demonstrate that there is no inappropriate access to customer data.
With cloud computing, there are large amounts of data, coming from many sources. A Cloud system will deliver the access in its base form, but it is up to the cloud app developer to define means of access. Authorization is crucial in assuring that only specific entities can interact with data and that there are ways of producing the proof. In a cloud environment, data integrity must be maintained at all times to avoid any inherent data loss.
Ensuring Data Availability and Cloud Access
Cloud and Infrastructure engineers always plan for inevitable network failures and downtime. There are several architectural concepts that must be takes to insure that data is highly available in a Cloud infrastructure.
Data availability is a term used by some computer storage manufacturers and storage service providers (SSPs) to describe products and services that ensure that data continues to be available, at a required level of performance, in situations ranging from normal to disastrous. Within a Server or Storage Network, architects must build out the storage component with redundancy. Often, they will build in twice the number of drives that would ever be used to make sure there is always 2X the level of availability in case there are failures.
Now with the advent of Public Cloud providers like AWS, subscribers can dictate what region(s) data is stored in. To increase availability data can replicated or backed up across various availability zones and geographic regions. This is important because it not only helps with compliance but also increases response time/latency on a global scale.
A Cloud platform is a tool that software developers can use to make their product better. Right out of the box, Public Cloud providers like Microsoft (99.9% availability) and AWS (99.99% availability) deliver availability SLAs (Service Level Agreements) for stored objects. If a web application provider must deliver a better SLA to their clients, it is up to them to engineer redundant/fault tolerant networks to back up, replicate and maintain copies of customer data.
When selecting a Cloud partner, it is important to know where your baseline SLA is so that you can build off it. Businesses must pay close attention to these SLA definitions because they will share the burden of downtime if there is a loss of data from a cloud provider. For the typical consumer, SLAs are as big of a concern because the app is usually free. Consumers must trust that the technology provider is taking these measures and ensuring that your data is safe.
Air-Tight Security Controls for Cloud Computing Services
Access control is a security technique that regulates who or what can view or use resources in a computing environment. Companies that run online applications must comply with regulatory requirements and define access controls in accordance with their verticals. Practices must be validated with regularly security checks, measures and audits.
When running a complaint (secure) Cloud operation, specific measures and practices must be defined on how you manage your infrastructure - this is known as change management. These reports must outline even the most minute of details such as: defining the specific steps to be taken when making changes on a firewall.
Most employee-related incidents are not malicious however, your greatest threat could be inside your walls. According to the Ponemon Institute’s 2016 Cost of Insider Threats Study, 598 of the 874 insider related incidents in 2016 were caused by careless employees or contractors. It also found 85 incidents due to imposters stealing credentials and 191 were by malicious employees and criminals.
To fight off internal threats, compliant employers must manage their networks responsibly by enforcing company policies that mitigate threats. For example, they should require intricate passwords and automatically ask for changes every 1-3 months. 2 Factor Authentication can also be implemented to validate every log-in and stop brute force bots. On a larger scale, the network administrators must have strong visibility with analytical data to see complex, distributed networks (on Cloud Servers and Cloud Storage). They must install, configure and operate sophisticated software that continuously scans the network looking for vulnerabilities, abnormal activity and the movement of large quantities of data.
Industry Compliance for Cloud Infrastructure
Compliance is dictating much of the required security measures and it is becoming more and more sophisticated. Anyone holding European data must follow the guidelines of the recently enforced GDPR (Global Data Protection Regulation) and California has also implemented their own version called CCPA (California Consumer Privacy Act). HIPAA, HITRUST, SOX, PCI, NIST etc. are all defined regulatory compliance measures that specifically cater to verticals such as Medical Records, Financial Data etc.
The definition of compliance is either a state of being in accordance with established guidelines or specifications or the process of becoming so. The definition of compliance can also encompass efforts to ensure that organizations are abiding by both industry regulations and government legislation. This allows companies the freedom to grow as long as they can demonstrate that they are defining policies and improving their security practices along that path. The market generally pushes this agenda as it becomes more challenging to sell a product against competition if your product is not verifiably complaint.
A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines. Audit reports evaluate the strength and thoroughness of compliance preparations, security policies, user access controls, and risk management procedures over the course of a compliance audit. These reports need to be validated and run by a third party that specializes in cyber security and general IT practices.
Mindcentric is a technology company in San Diego California that helps companies secure and manage critical infrastructure while complying with regulatory requirements. We work with in house data centers, provide our own computing infrastructure and leverage public Clouds. When working with our Clients, we engineer fully secure and compliant operations. Our team of industry experts have been helping customers with sophisticated needs for 20 years.