Securing data in the cloud
Cloud technologies have changed the way in data is accessed and managed. In all cases, data is the responsibility of the organisation, as it owns it. When consuming cloud resources, the data life cycle (Create, Store, Use, Share, Archive, Destroy) should be considered, e.g. destroying is no longer possible in the traditional sense - taking a hard drive out and drilling a few holes through it.
In all of the cloud service models (Infrastructure, Platform or Software as a Service) there are underlying shared components, like network, storage etc. These are manged by the Cloud Service Provider (CSP), and you are relying on them to provide the necessary data isolation. The CSP may not be able to tell you what physical drive the data sits on, but they should have security controls in place to ensure it remains only accessible to the organisation that it is private for.
Reputable CSPs will have a vast array of security standards and processes in place, some for example will only use Tier 4 Datacentre facilities, and only use hardware that has satisfied specific criteria e.g. EAL7. They are likely to also have also gone through the accreditation process for e.g. ISO 27001:2013, SOC, PCI, G-Cloud etc.
With the CSP is providing a high degree of data isolation, what more can you do to ensure a breach of the CSP does not lead to a breach of the organisation? However unlikely this may sound, the same risk that remained on premise, also lives in the Cloud. The only real difference is the likelihood of the risk being realised.
You could consider the following, to help secure your data further:-
Use strong Identity Access Management (IAM)
Integrating solutions like single sign on (SSO) and having a centralised identity repository will allow you to to not only ensure the right people have access as needed, but also give you extensive auditing capabilities
Encrypting data using keys that are owned and managed by the organisation
This will ensure only those who have either access to the key, or application will be able to see the data. With the organisation owning this key, not even the CSP will be able to see the data, as the key used for encryption is owned and maintained by the organisation
Using multi-factor authentication (MFA) for particularly sensitive information
This concept could be extended to online portals which allow for privileged operations, like creating virtual machines, deleting data etc.
Implementing Data Rights Management (DRM) to control how data can be used
DRM allows for granular permissions on data, like copying, pasting, downloading and can even expire access to files
When deleting data, consider crypto-shredding techniques where possible, or seek assurances of secure data disposal processes.
As the hard drive is not physically avalilable to destroy, using crypto-shredding techniques will render the data unusable even if physical drive was to be recovered in a working state.
I hope you found this article informative, as usual any feedback is appreciated.
Abhishek
