A cloud environment is ideally suited to store and analyze large amounts of data. If more storage space, CPU or...
memory resources are needed, cloud services can usually be upgraded and expanded with ease.
This situation is likely to occur because data tends to grow over time. This data could, for instance, be a sales database ingesting logs from an e-commerce platform. Usually, this data will be generated over time, inside the same cloud platform in which it is stored and analyzed. There might also be a feed of data originating from an external, on-premises system, uploaded in real-time or in scheduled batches.
But what if the data is too large to upload? Imagine a cloud migration and the need to upload many terabytes of historical logs onto the newly configured cloud environment. An upload would be too costly or would take too long. Also consider the need to obtain all that data from the cloud; for instance, because a customer is canceling their cloud service. What are the options, and how can a secure data transport be managed while adhering to the highest security standards?
Physical carrier shipping
Most cloud providers, such as Microsoft Azure and Amazon Web Services (AWS) are more than happy to assist with secure data transport. They offer an address where customers can ship their data on physical disks, and their staff then makes that data available to the customer (usually for a fee of around $100 per disk).
The providers are also able to send exported data to the customer on physical disks. The details of these services vary for each service provider. Google Cloud, for instance, requires the use of several third parties for the import and export of data. So far, there have been no issues.
The risks of moving data
For most organizations, data is or should be one of their most valuable assets. This might be the reason they decided to migrate to the cloud in the first place. What if these disks containing many terabytes of data go missing in transport on the way to or from the cloud provider? A 50 TB database of sales records including personally identifiable information and credit card information being unaccounted for is less than ideal.
Even though the disks might never end up with a malicious entity, the organization would need to assume that the data has been compromised. In most cases, this would disastrous, and would impact a company's reputation, compliance to regulations and, of course, the bottom line.
Encryption in secure data transport
Encryption seems to be the most logical security tool to ensure secure data transport, but how would the cloud service provider decrypt the data and make it accessible again once the disks have been received? This is why cloud providers set some solid requirements for encryption, though the specifics vary by provider.
See Infosec Institute's accompanying article on the Secure Shipping of Physical Data Carriers to and from a Cloud Service Provider
Microsoft requires its customers to use the WAImportExport tool for the transfer to disk, and to encrypt that data using BitLocker. The decryption key is then placed inside an import CSV job file inside the Azure portal. This means the decryption key does not travel the same route as the physical disks, which would, of course, defeat the entire purpose of encryption.
Amazon requires the use of the AWS Import/Export Disk tool for data and the creation of a job inside their portal. That job needs to contain the decryption key. Like the Microsoft option, this ensures the disk and decryption key travel via a different route. For data exports, Amazon can either use hardware encryption and a PIN pad on the customer's supplied storage device or, if that is not available, the default option is the use of TrueCrypt.
A secure carrier
For secure data transport, Amazon supports the use of secure hard disks. These disks encrypt data on the fly with algorithms up to the AES-256 standard and work with a password or physical PIN pad mounted on the disk itself. There are many such devices available, but they can be very costly depending on their size. This is only an option for smaller amounts of data that are still too large to directly upload via the internet. Placing larger, standard disks containing encrypted data in a lockable container before transport might be a better solution.
Another option to consider is to use a secure courier service for the data transport. There are many providers of these services available, and the options range from businesses that only employ vetted staff, all the way up to the assignment of a dedicated door-to-door courier.
When planning to physically ship encrypted data internationally, it is very important to keep the current export and import regulations of the involved jurisdictions around cryptography in mind. Most of these regulations cover only the encryption tools, but some countries, such as China and Russia, prohibit the use of encrypted devices altogether. It is best to consult a legal expert on this issue.
There are many options to get data to and from a cloud service provider via a physical carrier and most are relatively straightforward. It is important to take this seriously, however. Not only could the loss or compromise of data during transport be devastating to an organization, but there are also many regulations in place that cover this type of transport and data handling. The issue is not so much around protecting the data from being compromised; it is about guaranteeing the data has not been compromised when it arrives at its destination.
Learn how a data fabric helps admins manage data from disparate storage systems
Read about lessons learned from the cloud, changing data center strategies
Find out more about cloud data portability obstacles and how to overcome them