“If I told you I wanted to store all of your data in my data centers, wherever I choose to put it, and you would have no input or visibility into how I secured your data, would that seem like a good idea?”
The above is a quote from my book, Building a Comprehensive IT Security Program, regarding the cloud. Many people read this quote and they think I am cloud-averse, which is simply not true. I am “put everything into the cloud without thinking it through, ignoring the consequences” averse, but I recognize the benefits the cloud can offer an organization. As the Chief Technology Officer at InteliSecure, we have embraced many cloud technologies. The key difference between our strategy and many strategies I have encountered is that we know exactly what information can go where in the cloud and have constructed mechanisms to enforce those rules. Therein lies the key to the ability to move sensitive information to the cloud with confidence. This blog post, touches on the following:
- Misconceptions About the Cloud
- Defining the Cloud Security Problem and Why Cloud Security Programs are Necessary
- How Cloud Access Security Brokers/Cloud Security Gateways Can Help
Misconceptions About the Cloud
There are three very common misconceptions about the cloud that really skew people’s perceptions and often cause them to make poor decisions.
Misconception #1 – Transfer of Risk
There is the misconception among many that when they store data in the cloud, the risk associated with the loss or theft of that data is transferred to the cloud provider. This could not be any less true. Most cloud providers’ contracts limit their liability to a negligible amount with respect to the data you voluntarily store with them. Even if they didn’t, most of the time, the data you are concerned about actually belongs to someone else in the form of customer information such as Personally Identifiable Information (PII) or health information protected by the Health Insurance Portability and Accountability Act (HIPAA), financial information, or similar data. You have a duty to your customer to protect that information and you cannot reassign that accountability to a third party without each individual customer, as well as the third party, agreeing to that transfer of accountability. This is an important point. Using cloud applications is a way to outsource the IT functions necessary to house the information or serve an application, but it does not transfer the risk or responsibility associated with that information from you to your provider.
Misconception #2 – Data Regulations Do Not Apply to the Cloud
Many people assume that Data Protection Regulations do not apply to the cloud. This is not true. For example, if you are subject to a regulation that mandates you store your information only within the terrestrial borders of Germany and you contract with an international cloud service or storage provider, unless they have an offering that guarantees none of the data leaves Germany, you are not compliant. This is true even if the primary data centers reside in Germany, but the backups are housed in another country. Most cloud providers have failover capabilities and redundancy capabilities that make it very difficult for them to make such guarantees.
Misconception #3 – The Cloud is a Location with Rented Space
Far too many people think the cloud is a location and service providers rent space in it. This is not true. There is no cloud, its just someone else’s data center. In her article regarding the cloud, Mary Branscome bristles at this phrase, making the argument that the cloud is something very specific and is not simply “someone else’s computer” but a very complex offering with countless benefits to an organization beyond simply being the same thing you had on-premise now located somewhere else. Ms. Branscome makes very good points, but while the article talks about benefits of the cloud from a business optimization standpoint, it doesn’t address the security implications of moving sensitive information to an environment beyond the owners’ sphere of influence. From my perspective as a security expert, it is someone else’s computer, in someone else’s data center and I don’t have control over it. While that may seem trivial from Ms. Branscome’s perspective, as you can glean from the way she approaches the subject in her article, that presents major challenges from a security perspective. Please allow me to be clear, these are all challenges we can solve, but we must be aware of them and account for them as part of our cloud strategy in order to secure things in a responsible and secure manner. In fact, the cloud itself isn’t good or bad in my opinion, it just is.
Note: I discuss the above with all due respect to Ms. Branscome. I do not know her, and her article was very well written and brought up good points. I am simply using her article, as a way to compare and contrast an IT-centric point of view with a security-centric point of view with respect to the cloud.
If the cloud isn’t necessarily good or bad, why are we talking about it? The answer is because the cloud is different. There are different considerations that need to be addressed when we are relinquishing control over the environment. The information is being stored on shared infrastructure and it is accessible from anywhere. Neither of those two important factors are relevant to a more traditional data center. This means that specific cloud protections must be applied. Some of those protections are familiar in that we had similar protections on premise that are now being purpose built for the cloud. Things like Data Loss Prevention technologies and Web Security Gateways are great examples of technologies whose principles are being applied to cloud security products. Some concepts need to be revisited or extended in order to provide the protections organizations need for their cloud environments. One example, encryption, now also needs to be able to decrypt from anywhere instead of managing keys in the corporate environment in order to truly enable users to fully reap the benefits of cloud applications. Multi-factor authentication is another which, in my opinion, is more important than ever when accessing resources on a shared infrastructure.
Why Should we have a Cloud Security Strategy?
According to research conducted by Skyhigh networks, the average user in an organization uses 36 cloud applications, including nine collaboration services, six file sharing services, and five content sharing services. Anecdotally, from my experience, it matters little whether the organization sanctions authorized cloud applications or not, users are accessing the cloud from work regardless. Further research from Sky High exposes the nature and type of information being shared in these cloud applications, which really highlights the problem. They have determined that 18.1% of all documents uploaded to the cloud contain sensitive information. That means one out of every 5 documents stored on Box or Dropbox are sensitive.
In order to understand the scale of the above, it is estimated that Dropbox alone stores roughly 40 petabytes or information. If each document averages a megabyte, that means Dropbox contains roughly 43 trillion documents, of which roughly 7.75 trillion contain sensitive information. Please keep in mind that is one service of which there are countless others. The scope of this challenge is difficult to comprehend.
The numbers don’t get better in terms of this challenge diminishing either. Gartner estimates that companies that embrace the cloud grow almost 20% faster than companies who do not, meaning more companies will choose to embrace the cloud in the future to fuel growth. Few business leaders will pause and defer to security when presented with those numbers, but will more likely challenge security and IT leaders in the business to facilitate and secure this winning business strategy.
Simply put, if you are in the security space and you are not currently being challenged to secure information going to the cloud, two things are likely happening. First, users in your organization are storing sensitive information in the cloud without your knowledge. Second, you’re likely to be challenged with building a cloud strategy in the near future, either at your current employer, or at your next one. You are not likely to be able to wait this trend out and ignore it. The cloud is not a passing fad. It will be with us for the foreseeable future, and we need to become comfortable with how to protect ourselves and our organizations on this new frontier. Fortunately for us, there are Cloud Access Security Brokers (CASB) also sometimes referred to as Cloud Security Gateways (CSG) that can help us.
What is a CASB/CSG and How they Help
A CASB/CSG is a cloud service designed to secure and broker access to other cloud services, when you put it as simply as it can be put. There are three ways in which these services can work, and many offerings combine more than one approach:
- Forward Proxy works very similarly to on-prem Web Security Gateways. Traffic is redirected to the CASB/CSG either transparently, using port forwarding or application aware capabilities at the network or firewall level, or explicitly using browser settings, a PAC file, or an agent. Traffic is passed to the CASB/CSG, where it is inspected and logged before being forwarded to its intended destination. This approach can grant security and visibility to both sanctioned and unsanctioned applications.
- Reverse Proxy only works for applications that the organization owns. In this scenario, the request goes directly to the cloud service, but the cloud service is configured to return all requests to the CASB/CSG. These requests can be inspected before the session returns the information to the end user. The advantage of this approach is no configuration is necessary on the end-user device, since all of the configuration is done inside the cloud services themselves.
- API Driven approaches are similar to reverse proxy approaches in that the organization must own the application in order to deploy them. They work by using the Administrator account and directly hooking into the cloud application. As a result, they can do interesting things like scan data at rest and do visual tagging inside the cloud application interface. This is often the most expensive approach to develop and deploy.
All of these approaches have their strengths and weaknesses. Once the CASB/CSG has inserted itself into the session utilizing one or more of the aforementioned methods, there are four pillars that a CASB/CSG should address in order to be considered a fully featured product:
- Visibility: The ability to see who is using what cloud services inside of an environment
- Compliance: The ability to find and report on regulated information being stored in the cloud
- Data Security: The ability to perform content analytics and encryption among other data protection strategies like classification and rights management in order to protect sensitive information in the cloud
- Threat Protection: User and Entity Behavioral Analytics (UEBA) designed to detect and alert on malicious behavior with respect to cloud applications
Three Types of Information
In my opinion, when speaking of storing information in the cloud there are three, and only three, types of information that can exist in an environment. Every organization has at least two of the three, with the majority likely having all three:
- Public Information can be stored in the cloud with impunity. This is information that will cause no harm if publically exposed and there are no controls necessary for this type of information.
- Sensitive Information is information that can be stored in the cloud, but should be protected in some way. The organization may decide this information needs to be encrypted prior to storage, rights management needs to be applied, etc.
- Restricted Information is information that cannot be stored in the cloud under any circumstances.
The names I’ve used can be replaced with names and categories of your choosing, but identifying these categories and what types of information fall into each category is a mandatory prerequisite to developing a data security strategy in the cloud, in my view. Without this identification, it is impossible to build data protection policies to enforce acceptable use of cloud applications.
Understanding what the cloud really is and the types of information that can be stored in the cloud is an important first step to securing your organization’s cloud presence.