WELLESLEY, Mass. -- Enterprise information security teams may fear the worst as their organizations implement cloud...
services, but according to an expert panel, security professionals shouldn't resist the change and should instead position themselves to manage cloud risk.
Speaking Thursday at the second-annual MassBay Community College Information Security Summit, panelist David Escalante, director of computer security and policy at Boston College (BC), shared a story highlighting the worst-case scenario of what can happen when security teams fail to position themselves as trusted advisors on cloud security management within their organizations.
Escalante said a department at his university independently moved data off premises to a cloud storage provider without seeking the security team's input. When a university employee left on bad terms, Escalante said the employee logged into the cloud database and deleted its contents.
The ease of backing up and restoring data is often touted as a selling point for cloud computing, but according to Escalante, without proper access controls, the data can be in jeopardy.
Worse yet, when BC sought to have its data restored, the cloud provider declined, citing that it couldn't roll back the database without destroying data belonging to other customers.
Jason Dieseldirector of systems engineering, Varonis
"They said 'no, you can stop paying us,'" said Escalante, noting that the provider was so ill-prepared for that scenario that it did not object to BC's termination of its contract. He also used the cautionary tale to the importance of the security team's input on service level agreements ensuring data backup and restoration.
Escalante's opinion of cloud services was soured by the incident, but he was hardly the only speaker to express security concerns with cloud computing.
Panelist Jason Diesel, director of systems engineering with New York-based data governance vendor Varonis Systems Inc., advised attendees that they should not move highly sensitive data -- either that which would be highly disruptive for an enterprise if it were leaked or stolen, or that is governed by compliance regulations like HIPAA and PCI DSS -- to a cloud environment.
Echoing the sentiments of other participants, Diesel said that the rising prominence of cloud storage providers like Dropbox and cloud-based business application services like Office 365 make it basically impossible for security teams to slow the growth of public cloud computing in enterprise settings.
"A lot of these big business applications and storage services are taking over because it's cheaper," said Diesel. "I think whether we like that or not, we're going to see [cloud services] more and more."
Moving to the cloud requires upfront legwork
To effectively manage cloud security risks, several panelists indicated that organizations should focus on ensuring the security and integrity of data and applications before they are ever moved to cloud environments.
Diesel advised attendees to take a methodical approach when thinking about the cloud, particularly in regards to compliance regulations. For example, most practitioners will be aware of HIPAA, PCI DSS and other national regulations, Diesel said, but state laws such as Massachusetts 201 CMR 17 also govern data security, regardless of where the data resides.
To avoid regulatory problems down the line, Diesel said security teams should encourage their enterprises to think carefully about how they hope to benefit from moving to the cloud and whether certain data is better kept in an on-premises environment.
"What data do you have? If you're going to move finance data, are you going to move all of finance?" Diesel said, noting that an organization should ask itself whether a company really wants to move data into the cloud, or if it actually just wants cloud-like behavior from an existing infrastructure.
Panelist Shane Zide, a cloud client executive with technology value-added reseller CDW, said that enterprises should review a cloud provider's security controls and policies before ever signing a contract to offload data and apps. Among the key questions that should be asked of a provider is whether and how it encrypts data -- including determining whether the provider or customer controls the encryption keys -- and what the provider does from a compliance perspective.
Perhaps most importantly, Zide advised attendees that they should absolutely get face time with representatives of cloud providers and request a visit to the provider's facilities.
"Can you go on site? If a cloud provider won't give that opportunity you should consider looking elsewhere," Zide said.
To weed out potential cloud security issues, Escalante said now cloud-based vendors trying to win BC's business must fill out a multi-page questionnaire, which asks providers what kind of encryption they apply and how they deal with data backup and recovery. Escalante also advised attendees to explore the management interfaces provided by a cloud vendor as he described many that he had used recently as "lousy."
Beyond asking its own questions, an enterprise should also request the results of the rigorous SSAE 16 SOC 2 report, which has been endorsed by the Cloud Security Alliance in the past as being a reasonable measure of a provider's security controls.
"There are lots of claims being made by these services," said Escalante. "And it's very difficult to validate those claims."
Security as a cloud selling point?
Despite the concerns, some panelists touted the potential security benefits of moving to the cloud.
For instance, one concerned audience member working for a small business said his company is migrating to Google Apps and asked the panelists whether he could trust Google to secure sensitive applications and data.
Noting that his company recently began selling a suite of Google Apps, Zide responded that Google is absolutely on par with other top cloud application providers from an encryption and security standpoint, and that small and medium-sized business that struggle to hire and keep qualified security professionals may benefit greatly from moving to the cloud, whether it is run by Google, Microsoft, Amazon or other big providers.
"People love to manage their own stuff and seeing the flashing lights," said Zide. "But on the flipside of that, the security at these cloud providers has been improving year over year."
It was exactly those improvements in security that helped win over Ed Freels, director of information systems for Worcester, Massachusetts-based convenience store chain Honey Farms Inc.
Freels said that Honey Farms began a transition to the cloud approximately six months ago that will result in the company running file servers through Microsoft's Office 365 service. Initially, Freels shared many of the same apprehensions as the panelists in the areas of data ownership and compliance regulations, particularly in regard to Massachusetts 201 CMR 17.
Freels too was concerned by recent public relations scrapes involving Google and its privacy policies, which ultimately led to the company's choice to stick with Microsoft's services.
Honey Farms actually considered sticking with on-premises storage -- the company was happy with the performance of its perimeter defenses, according to Freels -- but ultimately decided the benefits of the cloud outweighed any security concerns.
Moreover, from a disaster recovery standpoint, Freels said that the cloud beat on-premises options handily and -- alluding to Zide's point -- reduces the burden on the small business to bring in quality security pros, freeing up more time to focus on business needs.
"We'll maintain our defenses the best we know how," said Freels, "but the cloud really helps us focus more on our core competencies: selling gas and candy."