Skip to main content

Who holds the keys to your data?

As readers of ITProPortal are aware, cloud adoption is becoming mainstream across organisations of all sizes.

The days of keeping 100 per cent of your data in your own on-premises datacentre are coming to a close as organisations see the cloud as a more flexible, affordable, and effective option for storage, compute, networking and more.

Even enterprises in regulated industries are using external cloud services, such as file sync and share or endpoint backup. The move doesn’t necessarily mean that these organisations lose sight and control of their data, but remain secure and private in an age of daily cyber threats and exponential growth requires organisations to actively investigate ways sensitive information can be compromised. The following highlights the types of considerations needed to prevent corporate data loss or leakage.

Know where your data is stored, and where your cloud provider is registered

The issue of data sovereignty has gone to the forefront as cloud services have become more popular, and was the main driver behind the European Court of Justice declaring the Safe Harbour agreement invalid in October.

Each EU country now will decide whether companies storing its citizens’ data in the U.S. is safe practice. Germany has already have enacted strict measures toward data sovereignty and protection. The Safe Harbour ruling is expected to have a significant impact on European and US companies operating in Europe, and accelerate the deployment of “in-country” clouds.

You also should consider that if data is stored in your own country, but the provider hosting it is a company subject to foreign laws, your data may be accessible to foreign governments under various laws of information disclosure, or it may be disclosed to certain parties in case of a lawsuit. The U.S. Patriot Act, for example, stipulates that the U.S. government may collect data from U.S.-based cloud companies regardless of the data's physical location.

Even as cloud providers today deliver compliance to the highest security standards, including state-of-the art physical protection of hosting facilities, electronic surveillance and ISO 27001 certifications, they offer no defense against government data requests, blind subpoenas or clandestine spying. Check your service provider's legal status if it's important to you not to have your data exposed to such disclosures.

Understand your cloud provider’s tenancy model

A Virtual Private Cloud, or VPC, hosted within a public cloud is as secure as your own private datacentre environment. Even if access control mechanisms fail, your data can never be mixed with other data. By contrast, the multi-tenant model of the public cloud is stored in the same logical system, or “bucket,” with other organisations’ data, and access to it is governed by access control mechanisms.

A VPC also enables you – and not your cloud services provider – to encrypt your data with your own encryption keys, and control every aspect of encryption policy.

Understand the SaaS risk

Once eschewed by corporate IT types, consumer-simple SaaS file sharing services have proliferated the enterprise as user demand increased for easy, convenient productivity tools. These services still pose a huge risk to sensitive data and may ultimately have severe impact on your company's business.

Many SaaS providers will tell you that it matters less where the data is physically located, and more where the encryption keys are managed. Several public cloud file services providers have announced support for enterprise key management (EKM), which enables customer-only management of encryption keys, to nudge security-conscious, cloud-averse organisations into cloud adoption. While at first this may seem like a good approach to data security, it's neither sufficient nor comprehensive.

Because large portions of the enterprise file sync and share functionality (essentially everything except the key storage) is in the public cloud, you still need to trust that your service provider:

  1. Wasn't instructed by the government to install an auditing device, responsible for tapping and recording ALL of your data, metadata, encryption keys and user identities.
  2. Won't impersonate your user accounts to access their data.
  3. Won't generate links or collaboration shares to data on behalf of your users.
  4. Doesn't cache the keys that are used to encrypt your files.

Furthermore, EKM, whether cloud-based or on-prem, provides a 'post-mortem' solution for preventing data arriving at unwanted hands. What can you do about the data compromised between the time the security breach started until the time you received the notice and decided to retract the access on your EKM server? And after doing so, your entire file service is now inaccessible to your corporate users.

Stay in the driver’s seat

The bottom line? Don’t hand over the keys to corporate data security and privacy to someone else. Cloud providers are not responsible for your data – you are. Invest in a system that allows you to apply your corporate policies and meet critical business needs for data governance, security, integrity, sovereignty, and compliance.

Aron Brand, CTO at CTERA

Image source: Shutterstock/alexskopje