Cloud Security – How Safe Is Your Data?

June 5, 2019 Michał Brygidyn

Cloud-based solutions have been adopted by many firms around the globe. However, many non-adopters remain sceptical – often due to concerns about data security in the Cloud. How justified are those concerns? Let’s find out.

The topic of data security is often laid out in technical terms and that’s why we’d like to shed some light on it – in plain English – to help those on the fence about whether to adopt make well-informed decisions.

Below, we take a look at the most common security measures that Cloud providers have in place and at the ones that you, as an adopter, can take to effectively protect your Cloud-hosted data and solutions.

Shared Responsibility

Responsibility for data security is shared between the customer and the provider.

We differentiate between security “of” the Cloud and security “in” the Cloud. The former includes the infrastructure, i.e. the hardware, software, networking, and facilities that run Cloud services.

Security “in” the Cloud encapsulates the clients own IT security management, e.g. applications, updates, firewall configuration and access controls.

Effectively securing your data involves both the provider’s and your own full commitment to security. As we will see in the next section, clients are also responsible for choosing the encryption model on the basis of which their data is transferred and stored.

Data Encryption

Communication between your local computer, tablet, or smartphone and the Cloud provider’s servers is usually encrypted – the method most commonly used to do this is called Transport Layer Security (TLS). It encrypts communication between two stations, i.e. sender and recipient devices generate a one-time code and key for each transfer. This is known to be secure and compliant with the EU General Data Protection Regulation (GDPR).

The biggest potential weak points here are the certificates and certification authorities. These are often targeted by hackers and could be compromised. To mitigate this, you can make sure that the certification authorities are accredited by relevant states and international organisations and the implementation of TLS is regularly and thoroughly reviewed.

For long-term data storage, a different type of encryption is used, where a secret key is needed to read the encrypted data. This is done to prevent unauthorised system breaches from turning into full-blown data leaks.

You as a client would be responsible for choosing one of the following methods:

1. Server-side encryption, server holds the key

Both the encryption and the key are part of the Cloud provider’s remit – in other words, they’re in unfamiliar hands – and the danger of unauthorised access by this party would undoubtedly exist. However, relevant security measures can be put in place to prevent this from happening.

Among such prevention measures are: strictly separated access rights, multi-factor authentication, surveillance systems, and regular audits by independent authorities. It’s important that you find out which measures your Cloud provider has in place and how they’re planning to guarantee your solutions’ security.

2. Server-side encryption, client holds the key

The Cloud provider encrypts the data and the Client holds the key. This option is more secure, because the data, encrypted by the provider, can only be deciphered by the customer.

Second and third party entities do not have as much access as in the previous option we described. But, with this method, you’re only as secure as the access to your own building and hardware – in this case, you can increase the level of security with effective internal IT security management.

3. Client-side encryption, client holds the key

With this option, the customer encrypts the data and is the only entity to hold the key. This is the most secure method against attacks from second or third parties.

For technical reasons, however, this method doesn’t provide quite the same flexibility in the Cloud as the previous two. And, because it’s quite difficult to implement, many companies still prefer to go with server-generated encryption.

Data Centres

The location of the data centre is crucial in terms of data privacy compliance. A centre that is located in, for example, Germany must comply with the strict rules of the GDPR – even if it’s run by a foreign company. AWS for instance has 21 AWS regions worldwide that include 64 availability zones, in which their data centres operate under the strictest security measures.

You can ask your Cloud provider where your data centre will be located. Having this information will allow you to contractually determine where your data will be stored in order to ensure that it’s a secure location.

The building that hosts the servers should be as safe as Fort Knox as this is where your data will be stored. This location must adhere to extremely high standards. We’re talking security perimeters, video and heat surveillance, concrete walls that can withstand storms and bombings – the more the better!

Data centres are also generally secured against fires, lightning, and floods. Power outages – the most common reason for interruptions – are counteracted by redundancies for all of the most important systems.

The Security Perimeter

The security of a data centre starts at its perimeter. First off, security measures restrict physical access to the area: security staff, fences, walls, video and heat surveillance, and motion detectors are a common sight here.

Access approvals are only granted to people who have a good professional reason to set foot in the data centre. Visitors will receive a badge that requires multi-factor authentication and are limited to relevant areas only.

The Infrastructure

Another key security aspect is the infrastructure of the building and all of the connected devices and systems. This includes emergency power generators, heating and air conditioning, as well as fire prevention systems. Here as well, physical access will only be granted when a valid reason is given.

Regular maintenance also makes sure that the machines and systems are working properly. All-important connections are usually double and triple secured so that normal operations can be continued even during an emergency.

The Data Depot

At the core of a data centre are the server rooms in which the data is stored. This represents the third security zone, which is characterised by a strict separation of access rights and responsibilities, as well as by having video surveillance. System protocols and climate control also make sure that everything remains safe, secure, and unwaveringly effective on the server’s side.

Multi-factor authentication comes into play to prevent potential digital and physical intruders from entering. Servers that contain client data are handled on the basis of clearly defined processes: installation, operation, and termination happen according to strict requirements.

These processes and systems are annually audited by external reviewing authorities. Generally, these audits are thorough and cover several thousand aspects.

Certifications

Not too long ago, the Cloud was a term still shrouded in mystery. Today, we are seeing the increasing standardisation of security in Cloud computing on national and international levels – in terms of data privacy, as well as IT security.

Big Cloud providers like AWS, Microsoft, and Google subject themselves to regular audits. Such audits take numerous aspects into consideration and are designed to ensure that the location, systems, and security of a given data centre is compliant with international standards.

For this reason, it’s important that you research what kind of certifications your potential Cloud provider has before you decide to use their services. There are many standards on the basis of which the audits are carried out. The following examples are internationally accredited and fully focused on IT security.

ISO 27001 on the Basis of IT-Grundschutz

The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik [BSI]) offers certifications in the form of the BSI-Standards 200-1 to 200-3. They cover the security of IT management systems at different levels. These certifications are only granted after an audit by BSI-certified ISO 27001-Grundschutz auditors. ISO 27001 is an international norm for information security in private, public, and non-profit organisations.

C5

The BSI has also published a requirement catalogue called Cloud Computing Compliance Controls Catalogue (C5 in short). Apart from the impressively long alliteration in the title, the German standard differs from the others because it includes so-called peripheral parameters. These are data location, service delivery, jurisdiction, certification, duty of inquiry, and disclosure requirements before governmental authorities – in other words, all the good stuff!

The financial auditor issued certificate, based on the international testing standard ISAE 3000, is becoming widely used in Europe – as an example, it was employed by EY to conduct an audit of Amazon Web Services (AWS) Ireland.

PCI DSS

PCI DSS stands for Payment Card Industry Data Security Standard and was publicised in 2016 by the PCI Security Standards Council in order to secure online credit card payments. This audit is made by either a Qualified Security Assessor (QSA), an Internal Security Assessor (ISA), or – in the case of smaller companies – a self-assessment questionnaire.

HIPAA

HIPAA, also known as the U.S. Health Insurance Portability and Accountability Act, was originally developed for companies in the healthcare sector in order to protect their clients’ data. This certification focuses mainly on multi-factor authentication, differentiated responsibilities, as well as comprehensive protection of patient data at all stages (at-rest, in-transit, and in-use).

Conclusion

Today, the industry, our governments, and the European Union are all cooperating more closely in order to establish a solid foundation for the future of the Cloud.
When choosing your Cloud provider, you should consider the aspects mentioned in this article: agree on the type of data encryption, ask about the location of the data centre where your data will be stored, and make sure that the Cloud provider has the right certifications.

It’s a good idea to look at the well-established providers. For example, AWS has been providing Cloud services since 2006 and has the experience necessary to ensure refined and well-thought-out security “of” the Cloud.

In order to guarantee security “in” the Cloud, you should also make sure your internal IT security management works – Cloud experts can help you implement this.

Representatives of both Cloud providers and customers are working on EU-wide regulations that aim to provide more transparency and security – a necessary measure in times of the Cloud’s wider acceptance and usage.

Business Perspective

Security in the Cloud is essential – and there are important steps you can take to guarantee your solutions won’t be affected by any breaches. Firstly, decide on an encryption type for your data. Secondly, find out where your data will be stored and processed. And lastly: make sure to check the certifications of your Cloud provider. All this will help guarantee your business remains secure, allowing you to focus on Cloud-facilitated innovation instead.

Last posts