|
 |
|
General Information
|
Add To My Personal Library |
August 28, 2009
• Vol.31 Issue 22
Page(s) 36 in print issue
|
Encryption & Security With Cloud Storage
Facility Security, Level Of Data Protection Are Important Considerations
|
| Key Points
• Cloud storage can be as safe as, if not safer than, internal storage. But IT professionals must confirm that physical, procedural, and data security are in place.
• For facility security, SMEs have to understand the security capabilities in place at the physical location where the data is housed.
• Data destruction is important: Make sure any provider you use actually deletes and removes any data you decide to destroy from all forms of storage. | | As many small to medium-sized enterprises consider cloud storage, one of the concerns they have to tackle is how secure their data will be. Security as it relates to cloud storage is often equated to how and if the data is going to be encrypted. In reality, though, security of data in the cloud is much more than that.
According to Justin Moore, CEO of Axcient Technologies (www.axcient.com), a cloud-based backup provider, “Encryption is important, but there are two additional types of security that users should be looking for. First, there is the security of the facility that the storage provider is utilizing and, second, there is the level of data protection that the provider is using. Make sure that the provider is maintaining that they can recover your data in the event that something goes wrong at their facility.”
Dave Kubick, vice president of worldwide digital business at Iron Mountain Digital (www.ironmountain.com), agrees. “As the SME marketplace begins the move to cloud-based storage services, they need to look for providers that can ensure that their data is safe, encrypted, and accessible. Safe is, of course, the protection of the data and the facility it is housed in, encrypted so that if an unauthorized person somehow gains access to that data [she] cannot actually read that data, and accessible to ensure that the data is online and available when the organization needs it.”
To this Kubick also adds the importance of assured destruction. “You also want to make sure that when your business policies and legal requirements allow for it, and you decide to destroy data, that the data is actually deleted and removed from all forms of storage at the provider. This means that the provider will need to have software and policies in place to guarantee that data’s removal. The last thing you want to have happen is to have an old piece of data full of customer records, for example, resurface years after it was supposed to be erased.”
 Secure The Facility
When it comes to facility security, Steve Lesem, CEO of Mezeo Software (www .mezeo.com), says SMEs have to understand the security capabilities in place at the physical location where the data is housed. “In fairness today,” he says, “this is somewhat subjective because there is a lack of standards and certifications. There are few SAS 70 Type II-compliant hosting facilities and more providers are striving to reach this standard, but it does not match the provider space perfectly.”
SAS 70 Type II (Statement on Auditing Standards No. 70) was developed and maintained by the AICPA (American Institute of Certified Public Accountants). Specifically, SAS 70 is a “Report on the Processing of Transactions by Service Organizations,” where professional standards are set up for a service auditor that audits and assesses internal controls of a service organization. At the end of the audit, the service auditor issues an important report called the Service Auditor’s Report.
Lesem advises enterprises to at least look for the basics in a provider or the hosting facility that they use. “Look for physical security capabilities like 7x24 security, video surveillance, biometrics/ smartcard/proximity card-based access, as well as software authentication and logging to confirm who was accessing what systems and what they did with those systems, and in a way that ensures non-repudiation,” he says.
Lesem says enterprises often overlook the offboarding process that is put in place by the data center. “If the access rights are not immediately and comprehensively revoked,” he says, “a disgruntled ex-employee can easily circumvent the security processes and compromise any and all data stored within the data center.”
When evaluating facility security, Iron Mountain’s Kubick also advises looking for a pedigree in the space. “Many of the providers of the actual customer-facing applications may be new, but inspect where they are going to house your data. Is it in their garage or at a provider who has years of experience storing and securing customer data?”
Final Line Of Defense
The final line of defense in security is encryption. Encryption essentially protects the customer from any mistakes or shortcomings in the provider’s or host’s security strategy.
Encryption translates data into an unreadable form that then requires a secret code, also known as a key, to be able to read that data. If you don’t have the key, you can’t read the data. But encryption is not perfect.
According to David Silk, CTO at Bycast (www.bycast.com), “If security is critical, the safest way is to encrypt the data before storing it to the cloud and to manage the keys locally, outside of the cloud.” Although this provides the highest degree of protection, he says, if the purpose of the cloud is to provide data interchange, data sharing, data processing, search and indexing, or other value-added functionality, the encryption must be performed by the cloud or the keys must be disclosed to the cloud.
When the cloud is responsible for data protection or key management, data must be encrypted for both transport and while stored. This protects against the threats of traffic interception and theft of the raw storage medium used by the cloud provider. Within the cloud storage system, careful attention must be paid to how keys are managed, as the keys must be isolated from other tenants and, ideally, from the cloud administrators themselves. Be sure to use different keys for each file or object stored, which reduces the severity of the unauthorized disclosure of any given key. 
by George Crump
The Security Of Data Protection
Encryption and physical security are only viable if the data is still there when needed. Data protection must be considered an important component of any data protection strategy. Don’t assume the provider is taking appropriate measures to protect your digital assets. Confirm that it has backup procedures in place, and even consider replication capabilities to another facility that is geographically removed from the primary location.
From a data protection perspective, Justin Moore, CEO of Axcient Technologies (www.axcient.com), suggests confirming that the provider is taking the appropriate measures to make sure your data can be made available again if the hosting facility is catastrophically affected. “For many customers, the provider is housing the only copy of data for the SME, and as a result, that provider should be taking at least basic backup best practices to protect that data. The key thing to look for is that the provider is getting the data securely out of the hosting facility.” |
|
|
