Cloud Security – What You May Not Know Might Hurt You

If you use a cloud provider for your application and infrastructure needs, tell me quickly: Where is your data? Don’t feel bad if you really don’t know, most people and organizations have no idea where their data actually resides.

Security Conversations

There are security implications the moment you move your data off site and use any outside hosting or cloud provider. How do you protect it from malicious attempts to access? In many cases, your efforts at securing that data may be falling victim to the security conversations that are not happening.

Where is it? Physically, where does it reside? That sounds like a loaded question because we all know, in the cloud, it could be anywhere at any time. However, in the case of sensitive corporate or personal data, that could be a problem, right? At any given point in time, the data for your application and the customers that use it is physically somewhere in a data center on one or more physical disks of some kind. A quick look at AWS, for example, provides information about the Availability Zone and Region that an application and its data is in, but nothing specific as to location.

If I were hosting an application at a third party colocation or managed services data center, I would ask questions like:

  • What are your policies for access to the datacenter?
  • o you have biometric or badge access to the facility?
  • Do your engineers have administrative access to the systems my applications and customer data is on?
  • Are there security logs and video surveillance that can be reviewed as needed?
  • What are your notification processes if law enforcement requests access to your facility/neighboring servers/my data?

The last point is one of particular sensitivity. There may be various levels of notification that your provider may have processes for or none at all. Viewing the policies of the three major cloud providers, those policies are all over the board and largely boil down to “we will cooperate or comply with legal requests.” We need a much clearer understanding of what compliance is. We probably also need a better definition of what they consider a “legal request.” However, that does not undermine the other questions. Physical security to the location and the server rack, as well as administrative access to the equipment it resides on, are of paramount concern to determining whether any facility is an appropriate hosting center for off-premise applications and data. The cloud is an economical solution providing performance and access with ease without a capital expense, but it seems like we may have forgotten to ask some of the questions that we should when considering off-premise storage.

Ownership Rights

No matter what, whatever data we place in the cloud, we still own exclusively… right? Well, at the very least, “it is complicated.” Since your data can exist in multiple locations (i.e. across multiple state lines), you may be affected by various laws that can impact access and ownership of that data. Now, in all fairness, the Big Three cloud providers do attempt to provide some clarity to that in their Terms of Service. Unfortunately, there are both public legal challenges to those terms as well as private challenges (i.e. the government accessing data without notification to the client as part of a national security investigation). It becomes even more complicated if the data exists in data centers outside the United States or the data is said to contain information from non-citizens that may be pertinent to national security or a criminal investigation.

Many of these issues are currently winding their way through the local, state and federal court systems. Unfortunately, that is not likely to offer much overall clarity to a complex situation in the short term. Additionally, there are three types of ownership rights covered by different areas of law — copyright, confidentiality, and contract. These can all differ by state (depending on where the data is physically stored) and country (if it is outside the United States). Adding even more complexity is that there are difference kinds of data in the cloud — data that was migrated there from on-premise applications and databases and data that was created in the cloud via the applications once they moved there. Ownership can be impacted by both the type of data as much as by where it was generated.

Summary

This article is meant to be part of the conversation. It has become too easy to just put everything in the cloud. The process is straightforward (mostly), the cost is economic (again, mostly) and the security is good enough (or has largely been up until now). Before your data becomes the test case for access, ownership or legality, it may be best to ask yourself the hard questions so that you can make an informed decision and to understand the risk profile of the data you are charged with protecting.

Terrence T. Cox

A veteran of twenty years in Information Technology in a variety of roles. He has worked in development, security and infrastructure well before they merged into what we now call DevOps. He provides training in Linux, VMWare, DevOps (Ansible, Jenkins, etc) as well as containers and AWS topics.

Leave a Reply

Your email address will not be published. Required fields are marked *