Data Security in Virtual Enterprises - Prognosis: Cloudy

The recent public release of thousands of leaked U.S. State Department cables by WikiLeaks continues to shake up governments across the world. The information captured and sent out to the wild is not only an embarrassment to U.S. government officials whose candid assessments of foreign leaders were exposed but also to the fact that that the organization with the tightest and most comprehensive data security technologies, protocols, and policies in the world unknowingly fell victim to a massive data breach.

Can private corporations or smaller government agencies with less-stringent security protocols and standards expect to do any better? Securing data is tough enough, and now, with the increase of  initiatives such as virtualization and cloud computing, the odds of loss of control and proliferation of sensitive data become even greater.

While cloud computing-both in its public, over-the-internet form and private, inside-the-firewall form-offers compelling cost and information-sharing opportunities, there's a risk as well. "The two major disadvantages of cloud computing relate to resource control and security," Slavik Markovich, CTO of Sentrigo, tells DBTA. "Having sensitive information beyond your network borders can bring about high levels of anxiety, which can be traced to the entire question of responsibility in the event of a security breach."

Live Data Shipped

How seriously are companies taking this responsibility? Surveys of data managers conducted by Unisphere Research finds that while many companies are looking at expanding access to data and applications across the enterprise via cloud computing, there are huge vulnerabilities in how sensitive data is managed and protected. For example, a survey of 430 members of the Independent Oracle Users Group (IOUG) conducted by Unisphere Research and sponsored by Oracle, finds that fewer than 30% are encrypting personally identifiable information in all their databases - a finding that is startling given the number of existing data privacy and protection mandates that specifically call for data-at-rest encryption. To make matters worse, close to two out of five organizations ship live production data out to development teams and outside parties. More than one-third admit that the data is unprotected, or don't know if it is protected. In many cases, the data consists of sensitive or confidential information.

"Sensitive data is hard to protect for a number of reasons," Linda Park, senior product marketing manager for Symantec, tells DBTA. "It's often buried in a sea of unstructured data that is spread out across physical, virtual, and cloud-based infrastructure. It's scattered among low-value data, like names, addresses, and credit card numbers, making it hard to identify and secure the highest value data. In addition, the differences between sensitive data and non-sensitive data are subtle, and can be time-consuming to define."

Endless Storage Capacity

The rise of enterprise cloud adoption-along with "seemingly endless storage capacity"-is creating significant new exposures for such sensitive information, Irfan Saif, principal with Deloitte & Touche LLP, tells DBTA. "Concerns around unauthorized access to data are not without good reason," he says. "There's a broad range of ways that data can be leaked, whether intentional or unintentional. While elasticity is a selling point of the cloud, keeping data around when it is not needed could be an expensive proposition when considering the overall cost of protecting the data and the additional risk exposure to manage."

Saif advises that data managers and organizations take stock of where their most valuable data assets reside, and "be sure to purge or archive data to an offline medium in a timely manner to reduce the overall footprint that might be exposed." 

Conform to Standards

Other industry experts caution that industry-accepted practices or standards around secure private clouds are still being formulated. Better cross-organizational communications is needed to meet the challenge head-on, Jim Freeze, vice president of marketing and business development at Crossbeam, advocates. "Instead of looking at security as a set of individual applications that can be virtualized, companies need to look at ways to deploy security as both a separate and integrated set of services that can be easily managed, zoned according to risk, and scaled according to demand," he tells DBTA.

The ability to audit and monitor data moving across the virtualization and cloud layer becomes key. As Ashvin Kamaraju, vice president of product development and partner management for Vormetric, puts it, "Organizations must still audit private cloud service providers to ensure that service level agreements and security policies conform to their corporate standards for compliance and governance."

Monitoring and auditing for data security is still a weak area for many companies. In the IOUG survey, almost 64% indicate that they either do not monitor database activity, do so on ad hoc basis, or don't know if anyone is monitoring. Less than one-third of those monitoring are watching sensitive data reads and writes. Overall, 40% of respondents indicate that they are unsure as to how long it would take them to detect and correct unauthorized changes to their data  or their databases.

There's a good chance that the risks associated with cloud computing will decrease as managing the technology becomes better understood. However, managers need to follow the same due diligence as with any type of platform, says CR Srinivasan, vice president of data center and IMS services for Tata Communications. "The security needs of applications that are hosted on a cloud platform should have all the controls that applications need when they are hosted on dedicated platforms," Srinivasan tells DBTA. "However, in a hosted cloud environment there also needs to be additional controls around storage of data - defining exactly where the data is stored; classification of data (defining how critical the data is) and who has access to the data. Discussions around security will ultimately continue to move to the next level around data management, access, and segregation."

In addition, industry experts advocate a service-oriented approach that encapsulates security best practices. "A set of common security services should be deployed on the private cloud similar to how infrastructure services are being defined and modified to automate provisioning," RamPrasad Kan, chief technologist at Wipro Technologies, tells DBTA. "These services should include identity, access control, audit and governance to create a trusted cloud environment."

Legal Angles

Along with technical specifications, there are legal considerations to be weighed as reliance on private cloud and virtualization grows. "IT administrators will have to be increasingly vigilant in order to protect this information," Roy Hadley, a partner in law firm Barnes & Thornburg's cloud computing and cybersecurity practice, tells DBTA. "They will have to more fully understand the nature of their data and protect it accordingly. They will have to garner a more full understanding of trade secrets, intellectual property, privacy and other topics related to the data in order to make more full and relevant assessments of their enterprises' data and how the data must be secured." (Legal angles that need to be examined are explored in the accompanying sidebar.)

Control of data access and ownership is critical as data is made available across public and private cloud environments. "In due diligence, as in any outsourcing arrangement, reviewing the provider's solution to determine control of access to the data is crucial," Julian Millstein, senior counselor, Morrison & Foerster LLP, tells DBTA.

The rise of cloud computing also opens up new challenges in meeting compliance mandates. "Many compliance regulations were written before public clouds were widely available and have yet to catch up to the technology," Bob Janacek, CTO for DataMotion, tells DBTA. "These rules can be a challenge for organizations that are instituting cloud computing. For example, with PCI, or Payment Card Industry, regulations, organizations must know where their credit card data is physically stored. And while cloud computing provides highly available access to data it does not allow the organization to guarantee where its data physically resides, making it difficult to comply."

The widespread adoption of more centralized storage through cloud storage systems also increases risk, Janacek continues. "Cloud storage systems enable organizations to store massive amounts of data that is accessible through a single service, which creates a centralized method for securing the system, but also a high-value target for hackers. As a result, the stakes are higher for services in the cloud, but the opportunities to secure the data are also more manageable when compared to traditional scattered data stores. Data center environments are also increasingly complex and require significant technical skills to perform a proper assessment. Yet auditors for security and operational certifications are often CPAs, not IT specialists."

Abstraction Risks

For guidance on managing data in virtualized environments, managers only need to look at a business technology that has been in place for many years now-enterprise data warehouses. As is the case with cloud, data warehouses - which also serve to abstract data and make it available across enterprise walls - present the same kind of security risks as virtualization and cloud computing, says Jim Browning, professional services consultant for security systems at Teradata. "Both enterprise data warehouses and cloud data stores can be characterized as shared environments wherein large numbers of users may have access to the shared data infrastructure."

Based on the experience of the data warehouse community, Browning says, there are two key strategies organizations should pursue as virtualized data access expands-data segregation, and protection from compromise by privileged users. "Logically and physically segregate data in the underlying database, and enforce strong access controls to ensure that each and every user is properly identified and authenticated. No user should be allowed to access any data for which that user has not been explicitly granted access."

The IOUG survey finds that two out of three respondents admitted they could not actually detect or prove that their database administrators and other privileged database users were not abusing their super-user privileges. In addition, database administrators and other IT professionals aren't the only people that can compromise data security from the inside. An end user with common desktop tools can also gain unauthorized access to sensitive data in the databases. Close to half of respondents say this either could happen in their organizations, or don't know if it could.

The ability to secure data against internal breaches is key, and the technical fixes for this challenge include encryption and masking of data.  "Given the potential for a rogue employee to walk off with entire virtualized environments, including sensitive data, on a pocket USB drive, encryption is becoming a necessity not an option," Vormetric's Kamaraju says. "Encryption provides persistent security that ensures sensitive data is always protected no matter where the virtual machine goes."

Ultimately, organizations are best served by pursuing a well-planned architectural approach to cloud that looks at all aspects of the business, and the best technology fit. "Securing information in the cloud presents a new set of challenges - but with the right architecture, it is possible," says Sentrigo's Markovich. "The bottom line is that you can no longer rely on the traditional staples of IT security, such as perimeter protection. It's a case of what perimeter? Your cloud servers may move at any time, and are provisioned and de-provisioned all the time." Network monitoring approaches also don't look far enough. "Will you monitor the entire internet?" Markovich opines. "Look for solutions that closely monitor and protect the data wherever it may be, and that can easily adapt to frequent changes in network topology. This will likely lead you to one of the more modern distributed, software-only architectures that are emerging as the best solutions for protecting sensitive information in the cloud."

The Legal Side of Private Cloud Computing

Along with technical matters that need to be sorted out as both public and private cloud formations spread through enterprises, organizations need to be aware of the legalities. Legal experts in the cloud computing arena provide their thoughts as to what measures are helpful in the move to cloud computing:

  • Determine data ownership. "At the outset, the cloud customer and service provider should agree on who owns the data that is stored in the cloud," says Robert J. Scott, partner with Scott & Scott, LLP. "A simple and logical rule of thumb is that each party owns all of the data they bring to the deal. This becomes more complicated at the termination of the agreement. Cloud customers should ensure that the cloud provider is required to return all data at the termination of the agreement, in a usable format."
  • Determine who has control over the data. "Does the provider's solution allow you to limit access rights to your data, and monitor access so you know who accessed what and when?" Julian Millstein, senior counselor, Morrison & Foerster LLP, asks. "What are the specifications regarding encryption? How frequently is data archived, and are all applications and software kept current with the most recent security updates? Do service-level agreements include maintenance of security systems as a measured performance obligation?"
  • Pay close attention to cloud agreements. "If a cloud customer operates in an industry which is subject to specific privacy regulations, the customer should ensure the cloud provider does not attempt to shirk those privacy duties in the agreement," says Scott. "Customers must ensure the contract requires the cloud service provider to meet the privacy standards set by the relevant industry regulation."
  • Control access to the data. "Make sure that the provider has limited the people who can access your data, and ensure that access is properly monitored," according to Millstein.
  • Always be prepared for change in the provider's business. "Have clear procedures in place for the return of data in the event of termination or provider bankruptcy," says Millstein. In addition, he advises, make sure the provider is updating its protection systems, both as required by the contract and in accordance with industry best practices.
  • Maintain coverage for potential damages. "Cloud customers should require their cloud providers maintain cyber liability coverage sufficient to cover damages and costs associated with a data breach event," says Scott. "The levels of coverage required should be negotiated based on the nature and amount of data stored."
  • Remember that different jurisdictions have different data privacy laws and regulations. "Cloud customers must understand exactly where their data is being stored, and what that storage might mean with respect to the privacy and security of the data stored there," says Scott.