Managing Cloud Data-Loss Risk in a ‘Cloud First’ World
By Alexander Getsin
Cloud adoption and services remain among the top trends and IT strategies, as does cybersecurity. As a result, enterprises, federal agencies and startups alike are adopting a “cloud first” policy in their IT spending and plans. It is imperative for them to do so if they are to compete effectively and provide adequate services to their markets. Yet, chief among these same companies’ concerns is the risk of data loss, particularly the loss of data confidentiality. That’s why it is increasingly important to understand the loss of data confidentiality risk and how to mitigate it.
To properly assess risk with a cloud adoption/implementation, and to design effective controls, it is critical to understand the unique nature of the cloud and associated risks. In this article, we consider public and hybrid cloud implementations, though private clouds are rising in popularity just as well.
The shared responsibility model by the Cloud Security Alliance (CSA) is a great resource to begin appreciating how security will be handled across an implementation with a cloud service provider. Security of the infrastructure and underlying technologies of the service in question lies with the provider, as well as compliance. The higher up the stack of cloud service model -- be it Infrastructure, platform or software -- the less responsibility lies with the consumer. For example, if one is to employ infrastructure and computing services to run virtual machines, then that person is still responsible for patching those machines. Not so in software as a service (SaaS), when your cloud providers would be responsible for patching whatever virtual fabric runs the software you employ.
Service and Deployment Models
A service considered may be SaaS, platform as a service (PaaS) or infrastructure as a service (IaaS). The ‘higher’ up the stack a service is (hardware, virtualization, operational system, software, etc.), the less security, infrastructure and administration a client will do. However, the higher up the stack, the greater the need to assess a cloud provider's security and client trust.
Certifications and attestation of compliance with standards such as the PCI, CSA STAR and more help to assure clients and regulators of security. That’s because industry standard controls will be validated by a relevant, independent third party.
Much of the value in cloud services is saving on administration and cost of ownership in general. This is a major reason businesses are attracted to cloud services: they can do more, faster and for less.
Such goals are achieved in part by promoting self-service for end users to deploy and manage their environments: developers/devops to spin up their machines; and program and project managers to employ their own environments/customer tenants. Such ease and availability of self-service functionality does have a downside: the rise of rogue IT or shadow IT. In these instances (and there are many!), the IT department and actual data owners are not even aware of such IT assets/data in the cloud. This frequently results when employees take it upon themselves to store company assets in a cloud-based service, such as using a personal Dropbox account to upload or download corporate files.
There is, however, a bright side. Yes, cloud services introduce data security risks, but they can mitigate others and even improve security overall. A cloud service provider invests in physical security, vulnerability and patch management, compliance with regulations and more beyond what a business customer can do on premise or using a standard hosting solution.
So, as you assess your cloud security risks, remember, there are cloud security opportunities too.
Cloud Data Loss Risk
Both internal and external threat actors want access to confidential data stored, processed or transmitted via cloud services. These risks may manifest as exposure of:
- Personal identifiable information of customers, corporate executives and staff
- Strategic business trade secrets, plans and even digital property or product
- Sensitive security and systems specs, credentials and logs
- Business documents, correspondence and/or information
A data breach carries sometimes severe consequences. In addition to regulatory compliance, there could be steep personal and legal ramifications for executives and stakeholders for failing to protect consumers’ private data. The business impact of a manifested cloud risk may include:
- Immediate loss of revenue and clients
- Loss of brand value
- Loss of competitive advantage
- Regulatory / lawsuit fines
- Legal and regulatory expenses such as defense cases and audits
A cybersecurity researcher from UpGuard found that as many as 4 million customers’ sensitive PII and financial data has been accessible online. Many victims were Wall Street Journal and Barron’s subscribers. The culprit appears to have been a misconfiguration of AWS s3 bucket access control (AWS authenticated) and insecure storage of sensitive data lead to sensitive customer PII and PCI information disclosure.
“The revelation of this cloud leak speaks to the sustained danger of process error as a cause of data insecurity, with improper security settings allowing the leakage of the sensitive information,” the UpGuard researcher, Dan O’Sullivan, said at the time.
Elsewhere, other organizations have suffered from cloud leaks this year, including a Verizon cloud leak, a World Wrestling Entertainment (WWE) database leak, a Republican contractor’s database of nearly every U.S. voter and Time Warner Cable subscriber data and others.
Managing the Risk
Though the cloud has unique properties, a standard risk management framework procedure is important to comprehensively and effectively manage cloud data loss risk. One such methodology many security practitioners are familiar with is from NIST. The following steps are standard and should be familiar to most information security professionals.
Following the NIST model in practice helps to ensure that data stays confidential. And although they are familiar and in many ways common sense, the ongoing publicity of data breaches tells us they aren’t always followed. That needs to change. While it is paramount to develop an understanding of cloud services and practice a standard methodology, the effectiveness relies on having the proper controls in place – administrative, preventative, corrective and more.
We are in the midst of a cloud era, in which organizations are eager to move data assets into the cloud first and then analyze the risk of such a move later. Therefore, we all must help to make everyone, including the executives with their “cloud first” approach understand those risks. Doing so will go a long way toward ensuring a peaceful and productive collaboration with whatever cloud service providers a company choose.
ALEXANDER GETSIN, CISSP, is a cyber and information security architect at CyberInt. He can be reached at firstname.lastname@example.org.