Cloud security and data protection: What enterprises need to know
Data security is rarely the first consideration when choosing a public cloud service provider. That's changing, though, because of the rise of tougher rules, regulations, and standards aimed at protecting consumer privacy. Without data security, there can be no privacy.
Laws such as the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are making chief information security officers pay closer attention to what data security means in the cloud. To comply with the laws, CISOs also need to understand what must be done to more effectively protect and govern data in a complex, geographically diverse, and hybrid IT ecosystem.
In a recent report, Micro Focus data security products executive Sid Dutta described the offerings of the "big three" public cloud service providers (CSPs)—Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS)—serving up a framework with strategic selection criteria, and outlined what enterprises should be aware of before cutting a deal with any CSP.
Here are six key takeaways from the report.
1. CSP key management and encryption services have limitations
These so-called HSM services have typically been added as a layer on top of the CSPs' existing stacks—an afterthought due to late recognition of their customers' increasing data security concerns, the report said.
In addition, the encryption model used by the major CSPs won't meet the scaling requirements of many enterprises. Amazon, Google, and Microsoft "create a unique key for every data element," Dutta explained in an interview. "So if you're processing 10 million records, every data element in each record will require a unique key."
That doesn't scale when you're doing a large volume of encryption, he said. "You're going to have problems with availability, latency, and bandwidth."
"If I don't have the ability to perform bulk encryption that doesn't rely on the network and the availability of that system, that, for me as a customer, is a no-go. I can't make my endpoint 100% available because I don't control the network that connects my client application and my encryption system."
Mark Nunnikhoven, vice president for cloud research at the security company Trend Micro, said the big three "offer a reasonable set of services around key management." And with any cloud service, these are evolving rapidly.
However, the bigger question that comes from the Micro Focus report, and which is central to your overall data protection strategy, persists: Is it safe for the CSP to own the keys?
2. Organizations cannot control encryption keys
Organizations concerned about a CSP controlling the encryption keys to their data are told they can "bring their own keys" (BYOK). That's misleading, the report contends. Even if a customer provides key material, it explained, the CSP still either owns or manages the master keys, which can be subject to subpoena or some other form of disclosure or abuse.
BYOK as a practice in the industry "has created a false perception that customer ownership and control of keys is established" when the fact is that, even if a customer generates and imports the keys into a CSP key-management system or cloud HSM, "it is the CSP that has direct or indirect control of the keys," the report said.
"There is no hard isolation when it comes to cloud infrastructure."
Ameesh Divatia, CEO of the data protection company Baffle, said BYOK had limitations for enterprises.
"It's not completely foolproof, but it's a step forward because the keys aren't accessible to the cloud service provider."
3. No one CSP can support enterprises' hybrid and multi-cloud environments
The report explained that each CSP offers encryption services that are available and functional within the confines of their own clouds. That poses a challenge for enterprises using more than one CSP, not to mention on-premises legacy systems, to implement their workloads.
"The biggest challenge and concern for enterprises" is that they cannot implement a single, CSP-agnostic enterprise solution or service that can be applied across both on-premises and multi-cloud hosted workloads, the report said.
That can be especially challenging when it comes to encryption, because the CSPs don't share keys.
"I can't take all my keys from Amazon and put them on Google. That doesn't work."
Andras Cser, vice president and principal analyst for security and risk management at Forrester Research, said this indeed can be tricky. "We've seen a number of questions on this," he said.
"It's not so much just vendor lock-in, but the inability to extend AWS KMS to Azure and vice versa."
4. CSP crypto services are not global
The report explained that CSP crypto services are available in specific physical locations, referred to as regions. Even when these services are available, cross-region integrations and availability of keys is not guaranteed.
Even though CSPs have a global footprint, "their crypto services are not global." Not all regions have the KMS and cloud HSM services available, which forces enterprises to deploy and migrate their applications and data to specific CSP regions. The report notes:
"With enterprises going global through mergers and acquisitions, they cannot afford to have regional services and silos."
5. CSP encryption choices are limited
While all the CSPs offer crypto SDKs that support 256-bit GCM-mode AES, the report noted that other formats are largely unsupported. CSPs also don't support the ability to partially expose some business elements without data decryption, or defined tokenization services to meet PCI-DSS requirements.
By limiting the encryption choices available to organizations, CSPs discourage the use of encryption.
"The reason that people shy away from encryption is there's a perception—and in some cases a reality—that encryption breaks functionality."
If, when you protect data, you remove the value from it so you can't do your analytics and run artificial intelligence and machine learning on it to create new business insights, no one will want to encrypt the data, Dutta said.
You need to strike a balance between encryption and functionality, he said. "Then people will be happy to encrypt their data."
"Everyone knows they need security, but they will take the easiest path, which will make them compliant but not secure."
6. Adopt a data-centric security attitude early
The report recommends that enterprises develop a cloud security strategy early in the migration process. Data-centric security should be implemented before sensitive data is sent to the cloud.
CSPs do a good job of infrastructure hardening and implementing security processes and policies, and they offer multiple tools to enable customers to secure their workloads, the report said. However, one key takeaway stands out:
"But it is very important to understand that CSPs are not responsible or liable for the security of the data that customers ingest into their services."