Part of our series on Cloud Privacy & Protection
Following our first article on managing data locally vs. in the Cloud, we will address the biggest concern for many organizations: What is the weakest link in cloud privacy and security?
While this article summarizes the main ways data security is handled in the Cloud, you can get a very in-depth understanding of the topic from MS Azure and AWS (see end of article for helpful cloud information from the MS Azure, and AWS websites).
Identity and Access Management in the Cloud
In the Cloud, it is reliable and simpler to grant users access to a system because reputable cloud providers (i.e., MS Azure or AWS) support a single point of entry or “gate” with a federated identity server out of the box. Through the identity server, users can verify their identity using one or more methods of authentication. There are three common methods:
- Something you know (i.e., username/password)
- Something you have (i.e., cell phone)
- Something physical about you (i.e., thumbprint)
Furthermore, the nature of the Cloud’s infrastructure gives organizations granular control of user or group access to data stored in the Cloud, ensuring that organizations can implement checks and balances in their access levels as a standard procedure. A security administrator may be able to control access of specific capabilities that a user has per system or application in the entire organization. The single responsibility of a cybersecurity team in an organization reduces the likelihood that accounts are left active after an employee leaves the company, changes roles, or no longer requires access to a certain system.
While it is of course possible for an organization to manage identity authentication and access with data stored locally and per system, the Cloud automatically uses best practices through the framework and strategy it is built upon with infrastructure templates and formulas, whereas when managed by a local team, using best practices is entirely dependent on that team
Nevertheless, due diligence and building trust with a Cloud Service Provider (CSP) is a step that should not be skipped. Good CSPs provide strong documentation and clear communication on the internal and external procedures and securities they have put in place. Depending on the industry the Cloud is being used to support, there may be other standards that need to be adhered to. A few select international data security and privacy compliance examples are HIPPA (for medical systems), FedRAMP (for Government systems), and FINRA (for financial systems).
Security of Data in the Cloud
In the public or hybrid cloud, the actual servers are located anywhere the CSP has data centers. So, how secure is your data once it’s stored in such centers?
The physical security of a data center is stronger than your local bank. Some of these security measures include:
- A building surrounded by walls with barbed wire and 24/7 surveillance
- Security personnel
- No visitors allowed
- Biometric (fingerprint) locks on doors
Even if someone were to break into a data center to try to wreak havoc or steal data - while both theoretically possible, they are highly unlikely and risky scenarios for someone wanting to steal data.
This leaves us with the question:
Why would it be difficult, if not impossible, to steal data from a center?
Here are three of the main reasons:
- Data managed by a CSP is not hosted in just one center, but many - in fact, it is a secret which centers hosts which data.
- Furthermore, a piece of data in the Cloud isn’t hosted and managed on a single server - instead that piece of data is broken up and stored in smaller parts across multiple centers, with each part additionally backed up. This means that even if someone managed to get access to one data center, they would only have access to parts of the data that would be useless on their own.
- The only way to get the entire piece of data back together again is through your authenticated identity (with most CSPs, through MFA).
We’ve described some of the security created through the physical safeguards of data in data centers, but the distributed system of data centers is a safeguard for a much more straightforward reason: if an accident or natural disaster causes failure at one center, other centers (and therefore data) are unaffected. With data spread across multiple servers using Content Delivery Networks (CDNs), it eliminates the possibility of a vulnerability risk since the algorithms create geographically redundant backups of each piece of data and the metadata tells a system how to reassemble the data from the correct sources.
It should be clear that the physical security of data in the Cloud is robust. What about cybersecurity? Isn’t that the weakest link?
There are several security tools applied at the cybersecurity level by CSPs like MS Azure and AWS. These include:
The first three cybersecurity tools listed above all have the similar characteristic - that the most up-to-date security and privacy tools and technology can be applied to the Cloud quickly and across the entire Cloud itself. Orchestration platforms such as Kubernetes are becoming exponentially popular to handle such broad and sweeping tasks, eliminating the inevitable risk of human error faced when an administrator is required to update hundreds of servers individually. Traditionally, prior to cloud efficiencies, updates to security and privacy tools were (and still are in many organizations) used at each level of access in a piecemeal fashion (e.g., computer by computer). The administrators must be aware of the most up-to-date tools and implement them in a timely fashion. This requires dedicated resources and expertise. The links above can provide more detail on these security tools in addition to Kubernetes. Below, we will discuss the key element that makes any sort of cybersecurity possible – encryption.
Data managed in the Cloud is in one of two states: at rest or in motion. Data at rest is encrypted using a symmetric algorithm, meaning the same key is needed to encrypt and decrypt the data. A well adopted symmetric encryption algorithm is AES-256 which is nearly (and statistically) impossible to break. No hacker, supercomputer, or evil mastermind will ever succeed at uncovering a message or a piece of data encrypted with AES-256. It would be much easier to convince a user to give up their password than it would to directly break the encryption.
Likewise, data in motion follows SSL best practices and is equally as encrypted and secure as data at rest. Data in motion is protected using an asymmetric algorithm, meaning there is a public key used to encrypt the data and a private (secret) key used to decrypt the data. This means that anyone can encrypt the data, but only the intended recipient can decrypt the data. This eliminates the need to maintain secrecy of a single key from source to destination. The data is not readable until the information is unlocked by the intended recipient.
With the Cloud, as we mentioned above, the framework of privacy and security will remain current and trend toward the use of (or exclusively use) best practices. Whereas with data stored locally on premises, privacy and security depend entirely on an organization’s resources and personnel.
Now that we have an overview of Cloud security, we have yet to answer that most important question, though we’ve hinted at the answer:
Question: What is the weakest link in cloud privacy and security?
As we shared above in the section on encryption, it’s much faster and easier for hackers to exploit humans than to exploit technology. The human in control of the keys is always the weakest link in the security stack. If hackers can obtain login information, it doesn’t matter if the data is in the Cloud or stored locally – it is no longer secure.
Ultimately this means that in order to have secure data, organizations must take the initiative to help associates learn how to protect both themselves and their organization from cyber threats.
MS Azure: https://azure.microsoft.com/en-us/