Trust is a significant problem for the still fledgling cloud services industry. While the benefits that can be realized by outsourcing costly data storage to managed service providers are readily apparent to most, lingering security concerns have left many organizations reluctant to take the leap of faith required to make the move to the cloud.
You have to make sure cloud service providers use all possible protection measures available.
David Maman, CTO, GreenSQL
A recent survey of 387 attendees of two cloud security webinars conducted by database security provider GreenSQL found that more than 80% of respondents still have serious apprehensions about adequate security, regulatory compliance, and the loss of control over sensitive data that they may experience when migrating data to the cloud.
Lack of trust in the cloud
The GreenSQL study focused on one overarching question: “What is your main security concern when moving your database to the cloud?” Thirty-one percent of those surveyed indicated that they simply do not trust the level of security that is currently provided by cloud data storage services, and for good reason. The move to the cloud means having confidence in the ability of the service provider to maintain segmentation on vast network platforms which are simultaneously accessible to multiple clients.
“If your corporate systems were going to be used by another company you don't know and you had no idea of the purpose for which they are using your hardware, would you put security second?” asked GreenSQL CTO David Maman rhetorically. “The painful fact is that most of the time, as a cloud customer, you will be sharing the same hardware and network with others, which means that security must come first.”
The challenge faced by cloud storage providers is exemplified by the study’s finding that 22% of the respondents expressed ongoing concerns over the perceived loss of direct control over sensitive data once a database is placed in a cloud environment.
“The core of your business is the information you store - your customers' data and your company’s financial information. The majority of the time, that information is stored inside of a database. If information is the real currency of your business, then the database is the safe storing this currency. Therefore, you have to make sure cloud service providers use all possible protection measures available,” Maman said.
Maman also points out that although cloud service providers are managing and monitoring your data, the security of the database once it is in the cloud does not automatically become their sole responsibility. Organizations must maintain a proactive approach to safeguarding sensitive data through monitoring and the development of effective policies and procedures for access control to ensure the data remains secure.
“When you install your own database application or use a database-as-a-service such as Microsoft SQL Azure, you have to take control of your information, which means enforcing a database firewall,” Maman said. “You have to enforce separation of duties, you have to enforce database activity monitoring and you have to mask any sensitive information.”
Another question plaguing thecloud services industry is the issue of data backup mechanisms, and exactly how the information stored in the cloud is protected from being misappropriated or lost altogether. Can any organization really be sure that backups are being stored on a single tape or other media device designated specifically for them?
“Let me save you the trouble of over thinking, it's not.” Maman says. “Your back-up information is saved along with thousands of other customer’s data on whatever affordable backup media is available. Of course, you also can never be sure who is able to access this information and when.”
Vendors must Instill trust
Rafal Los, senior security strategist at HP Software and noted cloud security expert, says that cloud-based data storage providers can increase trust in their services through continuous assurance measures such as active security monitoring, and by regularly issuing reports on the state and compliance with applicable regulations.
“Customers don’t just want a stale compliance report, a dashboard showing you keep up on patches, or with months-old penetration testing results, they want to know that your environment is healthy and secure right now,” Los said.
“System security is so closely tied in with system health the two must be integrated, such as with the HP OpsAnalytics platform, which provides real-time analysis of performance telemetry and comprehensive log analysis into a single suite – bringing us closer to being able to determine the presence of real-world attacks where there are no known patterns to detect – or ‘finding the unknowns’ as it is sometimes referred to,” Los continued.
Los says that security assurance means having more than just a compliance dashboard, it means understanding the comprehensive system status. To increase customer trust, vendors must go beyond merely claiming they are secure. They must prove they understand their dynamic environment, and that they can respond to deviations from normal operating patterns quickly to protect their customer’s data and their service’s integrity.
Customers must verify
Los advises organizations that are considering making the jump to the cloud to consider all the capabilities of a chosen provider, and determine whether their provider can give them real-time or near-real-time security assurances and compliance statuses.
“One key for customers moving databases to the cloud is not just having that sense of security, but also knowing that when security is tested it may likely fail, and it will fail because there is no absolute guarantee of security,” Los said.
He recommends that customers should avoid just looking for vendors offering “secure” services, but instead should seek out vendors who can demonstrate they can effectively and reliably detect problems, respond to them quickly, and restore services that are critical to the organization’s business functions.
“The ability to detect anomalies through system performance telemetry, coupled with real-time comprehensive log analysis and advanced security components, gives your vendor the ability to detect, respond and restore your service faster if and when it fails or is tested. As a customer don’t just go looking for vendors offering ‘secure,’ ask for vendors who know how to detect, respond and restore critical services,” Los said.
About the author:
Anthony M. Freed is an information security journalist and editor. You can find him tweeting about security topics on Twitter @anthonymfreed.