Cloud adoption prompts secure data management, access control issues

Managing information, providing strong access controls and setting up appropriate data destruction policies are a challenge, experts say.

Cloud Computing options offer companies the advantage of significant savings by eliminating the need for expensive hardware purchases and the additional staff required to maintain in-house data centers, but the benefits realized are tempered by logistical nightmares regarding keeping track of sensitive information, ensuring secure access control, and dealing with data destruction.

Moving data to the cloud is like looking for a ninja, you know it is there but you can’t find it.

Ben Rothke, information security manager

A study released back in June by data management provider Varonis Systems revealed that 67% of senior management have little or no idea where their company’s data actually resides, and few have procedures in place to keep track of it once it is placed in the cloud. The New York-based firm distributed the survey to attendees at EMC World in 2012 and received responses from individuals from more than 400 companies.

The survey results supported a common theme: Many firms fail to undertake a comprehensive data assessment to know where data resides, said Alan Shimel, managing partner at The CISO Group. “Except in the case of those with strategic considerations, most companies don’t pay much attention to where their data is stored,” Shimel said.

In addition, company policies concerning which file sharing services are allowed and what is permissible to be placed in them are still coalescing, Shimel said.

"One shudders to think what is stored on services like Dropbox or Box. In the end though, these are just cloud growing pains," Shimel said. "Data ingress and egress, as well as data storage, are going to have to be better managed in a cloud world."

Ben Rothke, an information security manager for a worldwide hospitality firm, agrees with Shimel in noting that one of the major hurdles to managing data in the cloud is that many firms do not have up-to-date network diagrams and lack mapping of their data stores.

Previously, when Rothke was working as a Payment Card Industry Qualified Security Assessor  at BT Global Services, he observed that most firms could more readily tell you how many laser toner cartridges they had locked in the storeroom than account for where their merchant data resided, creating the potential for compliance liabilities.

“Moving data to the cloud is like looking for a ninja, you know it is there but you can’t find it. The good news is that quality cloud providers have management tools that can be used to track data and files. But if a firm does not have a technical staff in place that is doing this already, it is unlikely they will magically be able to do it with an outsourced cloud solution,” Rothke said.

Secure access control and BYOD

The Varonis study also revealed that less than 10% of the companies surveyed currently have procedures in place to control access to data stored in the cloud, and only 23% acknowledged that they were in the process of developing access control policies.

Complicating secure access issues is the increasing popularity of Bring Your Own Device (BOYD) options, another strategy that offers an alternative to costly hardware outlays for companies who allow employees to use personal devices like smartphones and tablets for business activities. Over half of the respondents in the study said they would allow BOYD if secure access to the cloud did not inhibit employee collaboration and productivity.

“Adding BYOD to this mix makes it exponentially harder for IT management. Employees using their own devices, which have even less visibility for the IT department, creates more ways that confidential data can make its way out of the control of the organization,” Shimel said.

Data destruction in the cloud

Another important cloud computing issue which was not addressed in the Varonis study is the complicated nature of effective data destruction measures, especially when the information is of a particularly sensitive nature or governed by regulatory compliance mandates.

“As for data destruction in the cloud, there are no easy answers. The best thing to do is ensure that all data is encrypted. But for organizations that won’t do that, data destruction is not an easy endeavor in the cloud,” Rothke said.

Rothke noted that security guidance from the Cloud Security Alliance (CSA) indicates that data destruction is extremely difficult in a multi-tenant environment, and the cloud provider should be using strong storage encryption that renders data unreadable when the storage is recycled, data is disposed of, or when accessed by any means outside of an authorized application, process, or entity.

Further guidance for the secure disposal of data in the cloud was provided by David Navetta, one of the partners at the Information Law Group, when he drafted the Cloud Customers’ Bill of Rights (.pdf). “Article VII states that cloud service providers shall reveal their data destruction practices and develop destruction capabilities in order to allow their customers to implement their own programs,” Rothke said.

“Also, if the cloud provider touts their ability to destroy your data, require them to prove it. The challenge is that cloud data is often copied and replicated, so it is hard to know where it is and you must work very closely with the cloud provider to ensure that data destruction is complete,” advises Rothke.

In the end, the adoption of cloud computing does not simply absolve an organization of their responsibilities by making due diligence the sole task of the service provider, and careful attention to the design of Service Level Agreements (SLAs) can work to lessen the potential impact for an enterprise arising from these issues.

“The cold reality of outsourcing anything and especially the cloud is that if a firm does something poorly and hands it off to an outsourcer, odds are the outsourcing provider will inherit a bad process. If a firm has good processes in place and makes a business decision to move to the cloud, and creates SLA’s and processes for the cloud provider to follow, then the move to the cloud will likely be successful,” Rothke said.

About the author:
Anthony M. Freed is an information security journalist and editor who has authored numerous feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. You can also find him tweeting about security topics on Twitter @anthonymfreed.

Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices