Multiple Perspectives on Security

Security Journal

Subscribe to Security Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Security Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Security Journal Authors: Elizabeth White, Yeshim Deniz, Pat Romanski, Maria C. Horton, Liz McMillan

Related Topics: Cloud Computing, Security Journal, Cloud Security Journal , Secure Cloud Computing, Big Data on Ulitzer

Article

Who’s Responsible for Protecting Data Stored in the Cloud?

Cloud is the natural evolution of the data center - but with it comes responsibility

With cloud comes the notion of liberation. Cloud is the natural evolution of the data center. It’s easy to deploy, infinitely scalable, and highly redundant. It is the shiny new

component inside the storage controller and is making it possible for an old dog to learn some very impressive new tricks. But with the cloud, comes responsibility.

An article recently appeared over at BusinessWeek explaining how many businesses now operate under the assumption that once their data is sent offsite they need not be concerned with protecting it. In a perfect world, this is how it should work. One of the main selling points of outsourcing infrastructure is the idea that there is now one less thing for IT to worry about. However, before any business can trust a third party to protect their invaluable corporate IP, some due diligence must be conducted.

The two areas businesses need to be concerned with are:

  1. Security and Encryption - Is my data protected from a malicious third party?
  2. Durability - What happens if I lose the local copy of my data? What if one or more of the cloud provider’s data centers are destroyed?

Security in Cloud StorageSecurity and Encryption
Not that one is more important than the other, but most of the focus tends to fall on the security and encryption category. No matter what a vendor says in their SLA, one of the more critical components of “protecting data” has to do with how the keys are handled. Do you generate your own key? Who controls it? Does data remain encrypted at rest or is it modified in the cloud (outside of your control)?

The only way to ensure absolute security is to use a system in which the end user (IT/Storage Admin) generates and controls the crypto keys. Under no circumstances should the storage vendor hold a copy of your keys. If data is encrypted before it leaves your data center using a trusted form of encryption (i.e. OpenPGP) and the end user is the only party controlling the keys, there is no way the data can be compromised by a third-party hacker or by a malicious employee at the cloud provider.

Durability
The second component has to do with the actual durability/redundancy of your data. You could be using the best security and encryption in the world, but if your data only exists in two physical data centers - and both are wiped out, your data is gone. One of the inherent benefits of the cloud is the unique property of geographic replication. When a file is stored in Amazon S3 or Microsoft Azure it is saved on multiple servers, located in multiple data centers. It is through this technique of geographically dispersed replication that Amazon is able to offer their incredible 99.999999999% durability. Even if you utilized site-to-site replication and nightly tape backups, the cost to achieve anywhere near that level of durability would be astronomical. It is for this reason the large cloud providers will continue to dominate the market as the barriers to entry continue to rise. It’s no small task to build a cloud. Iron Mountain is one of the more recent examples of this, and it’s likely we’ll see more consolidation in the future.

A Team Effort
So to answer the question of who is responsible for protecting data stored in the cloud, as you’ve likely guessed, it’s a combination of the vendor and the end user. The vendor needs to do their part to ensure the data is secured by proper use of encryption (customer holds the keys!), and replicated in multiple data centers spread across multiple geographies. The end user should have a general knowledge of proper key handling and ask the right questions when it comes to data durability. With the right boxes checked, there is no reason why data stored in the cloud cannot be as, if not more secure than data stored on-site.

More Stories By Louis Abate

Louis is a connoisseur of technology, photography and music. As a passionate tastemaker, he is on a lifelong mission to seek out and evangelize best of breed products and services.

At Nasuni, he heads up the multimedia content creation and social aspects of the company. With one eye on the constant flow of industry news and the other on Nasuni’s services, you’ll find Louis writing about the evolving storage industry and general musings about high technology in the modern office.