The Missing Link in Cloud Security

November 16, 2018 at 4:16 pm by Heidi White

cloud-securityDefinition of Cloud Security from the Cloud Security Alliance (CSA):
Cloud security refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

Recently, there has been a hyper focus on cloud security — and with good reason. According to a report by McAfee titled “Building Trust in a Cloudy Sky: The State of Cloud Adoption and Security,”cloud services are now a regular component of IT operations, utilized by more than 90% of organizations globally. In fact, 80% of all IT budgets are committed to cloud apps and solutions. Service companies have the highest adoption of public cloud platforms with engineering and government having the highest adoption of private clouds. Amazingly enough, this surge in cloud adoption is not equally met with security and trust with only 23% of organizations today trusting public clouds to keep their data secure. And yet, 62% of organizations reported storing personal customer information in public clouds.

cloud-data-securityThese statistics indicate that cloud security is lagging far behind cloud storage and adoption — similar to cell phone batteries. Cell phone technology continues to advance at an exponential rate while cell phone battery technology advancements are sluggish at best. As a result, cell phone battery life continues to be a major consumer issue regardless of the technological advancements made by cell phone manufacturers. What good is a beautiful, high resolution screen with lightning fast processor if the phone can’t handle the battery load? Likewise, cloud security threats have escalated alongside cloud data expansion due in large part to the sheer number of records now being stored. For example, the number of data breaches from 2014 to 2015 actually decreased, while the number of compromised records containing sensitive information more than doubled from 67 million to 159 million in the same time period. The decreased number of data breaches is indicative of the consolidation of cloud data storage providers, and yet the large increase in compromised records show that one data breach affects far more records today than it did just five years ago.

IT-asset-managementAs a result of the serious challenges presented by cloud data security, numerous methodologies have been recommended in an effort to combat the reputation degradation and astronomical cost associated with compromised data. Some of the more frequently utilized processes include user authentication, encryption of data both in transition and at rest, ongoing vulnerability testing, role-based access control (RBAC), intrusion detection and prevention technology, and staff training. In addition, the establishment and enforcement of cloud security policies is critical to the success of any data protection program. In researching cloud security, any number of articles and guides can be found that address the aforementioned strategies. An incredible amount of focus is placed on encryption, end point security, user controls, and conducting security audits. All of these strategies focus on protecting data from digital threats such as hackers and bots, which is of huge importance. However, a critical piece of security control is missing from most data security plans – an end-of-life policy.

circuit-boardCloud security providers who actually define an end-of-life strategy are rare, and a comprehensive program is even rarer still. Many providers erroneously think that erasing or overwriting a disk is sufficient, or more unsound thinking that a failed drive is precisely that – failed, and non-recoverable. Unfortunately, nothing could be further from the truth. Drives that were “erased” have shown up on eBay with sensitive information and overwritten and failed drives invariably contain original data that is fairly easy to recover. Criminals and thieves tend to be one step ahead of security and law enforcement initiatives, and cyber criminals are no exception.

Degaussing followed by crushing is one methodology for sanitizing hard drives that has been approved by the NSA.

Fortunately, many compliance regulations do address data end-of-life, which is why any cloud security provider should adhere to an appropriate regulation. Whether HIPAA, FACTA, FISMA, PCI DSS, or the most stringent NSA requirements, these compliance regulations are put in place to protect sensitive data and personally identifiable information from falling into the wrong hands whether through firewall vulnerabilities or data retrieval at drive end-of-life. In-house data destruction is the ideal way to securely manage drives at end-of-life; however, the method of data destruction varies greatly depending on volume, location, regulatory requirements, and operational procedures. There are many data destruction devices available from high security disintegrators capable of handling up to 500 drives per hour to enterprise specific, portable, and NSA listed solutions. There is simply no one-size-fits-all solution when it comes to data destruction; therefore, organizations looking to incorporate data destruction into their cloud security program should receive a thorough evaluation to determine which solutions best fits their need. One thing is for sure: no cloud security program is complete without addressing end-of-life destruction.

Many third-party providers offer drive end-of-life services, including degaussing and crushing as well as shredding. But while it is possible to outsource data disposal to third parties, it is NOT possible to outsource risk. Therefore, security-minded organizations must evolve towards a risk mitigation approach to data security that includes in-house data end-of-life destruction and disposal. By maintaining a proactive approach to security operations, companies and businesses can reduce the reputation degradation, frantic clean-up, and astronomical cost that typically comes with a reactive approach. Cloud security should not and cannot follow the path of the cell phone battery without disastrous consequences.