In 2008, the size of the cloud computing industry was $46 Billion. That is more than the GDP of Costa Rica! Think it’s a lot? Ready to jump on the cloud security bandwagon? That was 2008!
In 2014, the size of the cloud computing industry has more than tripled to $150 Billion – almost the GDP of New Zealand. NOW are you ready?
Besides the fact that everyone else is doing it, migrating to the cloud just makes good business sense. Whether you select a private cloud, a public cloud, or some hybrid of the two, cloud computing is just more powerful than traditional datacenters. There are several reasons for this. First, the reduced capital costs of IT infrastructure – no need for hardware, software, and manpower (and training) to manage them. Also, there is the improved accessibility, effectiveness, flexibility and scalability of the cloud.
But with great power comes great responsibility.
When migrating your business data to the cloud, you must ensure the safety and privacy of your records.
Much like data security was your responsibility in the datacenter, it continues to be your responsibility in the cloud. But, if you don’t know where your data is physically located can you still ensure its confidentiality?
Cloud Computing Security Needs
To ensure the transition is a safe one, migrating to the cloud requires special cloud computing security needs. Because the walls of the datacenter are no longer there to protect your data in the cloud, there are seven best practices to use that will ensure your safety.
1. Understand which business data is migrating to the cloud
Do you post pictures on Facebook? Ever made an online payment with Paypal? How many messages are in your Gmail inbox?
Guess what? You already have sensitive information in the cloud.
But your business data requires more security than pictures of your pet on Instagram or a Happy Birthday email to Grandma.
Some businesses are regulated by standards like HIPAA for healthcare, PCI DSS for financial transactions, or SOX for publically traded companies. These regulations specify what kind of sensitive information must be protected (and how to protect it) in the cloud.
If your industry is not regulated, just ask yourself – would you want your data available to hackers, competitors, and government entities?
The kind of data that you do not want them to have is the kind of data that needs strong cloud security.
2. Understand the responsibilities of cloud providers
You will likely be using a cloud service provider to store your data in the cloud. Make sure you read the policies in their contract, terms of service, and privacy policies.
For example, what kind of hardware and software is in place to protect you? Firewalls? Antivirus? Does everything get automatically updated regularly?
Has there ever been a breach?
How are cloud providers’ employees screened? Who will have access to your data?
How does the cloud provider handle subpoenas for your data? Requests from government agencies?
What happens to your data after you discontinue your agreement with the cloud provider?
There are no right or wrong answers to these questions, but the answers you are given will help you realize that you must protect your own data and cannot rely on anyone else to do it for you.
3. Encrypt your data
Once you have a firm grasp on the concept that you should enact a Zero Trust Policy with regard to the data you store in the cloud, you will realize that you must use the strongest possible encryption to protect it.
Encrypted properly, your data, even if stolen or misplaced, cannot be used…
4. Split the encryption key
Your encrypted data cannot be maliciously used, unless, of course, your encryption key is stolen or misplaced too.
The only way to truly protect yourself from this scenario is to maintain control of your encryption keys. And the only way to maintain such control in the cloud is with split key encryption.
When you control your own key, no one else can access your data.
5. Encrypt the key
No one else can access your data, of course, unless they steal your key while you are using it.
Even when you split the encryption key, you will still need to use both parts to access your data store. So how do you make sure that the key cannot be stolen while it is in use in the cloud?
Use homomorphic key management to encrypt the encryption key. This way, even while it is in use, it never appears in the cloud in its unencrypted state and cannot be compromised while in use.
6. Backup data and encrypt the backup
Certainly, you back up your data regularly, right?
In the cloud, you must make sure your backups are as secure as your “live” data.
Therefore, repeat steps 3-5 for your backups.
7. Prepare for the worst
Regulations demand that you prepare for the worst. Good business practice dictates the same. Before you get in the car, you make sure you are properly insured and buckle your seatbelt to prepare for the worst. When you migrate to the cloud, you encrypt your data, split the key, encrypt the key, back up your data, have a disaster recovery plan in place, possibly even purchase a data protection insurance policy.
In regulated industries, preparing for the worst provides you a “Safe Harbor” in case of a breach, attack, or accident.
Going through these seven steps will ensure that your cloud migration is a safe one. You will be able to begin reaping the benefits of cloud computing without the associated risks of poorly managed or easily breached cloud security.
Gilad Parann-Nissany is the founder and CEO of Porticor Cloud Security. He is a pioneer in the field of cloud computing who has built SaaS clouds, contributed to SAP products and created a cloud operating system. He has written extensively on the importance of cloud encryption and encryption key management for PCI and HIPAA compliance. Gilad can be found on his blog, Twitter, LinkedIn, and Google+ discussing cloud security.