Building a fortress in the cloud for your critical data

Businesses are in the crosshairs as military and spy organizations around the world step up their cyber-snooping techniques, and the shift to cloud is only exacerbating the risks. How can you be sure your cloud partner is capable of protecting your data from cyberattacks?

Most cloud providers agree that security is the paramount, but in reality many do not possess the fundamentals to protect your data. Just because a cloud provider has performed a baseline security assessment does not mean the vendor is truly capable of protecting your data.

ROUNDUP: The worst data breach incidents of 2012

By asking the following questions of potential cloud providers, organizations looking to move some or all of their enterprise data and applications to the cloud can eliminate about half of the cloud vendors and find comfort in knowing their selected partner will be well-equipped to protect their information.

1. What encryption methods will be employed for my data?

Asking what encryption methods are employed is essential in defining the level of security or protection used. To fully protect data, it needs to be encrypted at rest and in transit.

There are built-in capabilities within the traditional databases that take advantage of Transparent Data Encryption (TDE) functionality. TDE is a technology employed by both Microsoft and Oracle to encrypt database content, offering encryption at a column, table and tablespace level. TDE solves the problem of protecting data at rest, encrypting databases both on the hard drive and consequently on backup media. Enterprises typically employ TDE to solve compliance issues such as PCI DSS. Encryption can also be applied via third-party software.

If encryption is applied, you need to ask what functionality is used. Determine if it is inherent capability or third-party software. Ask if they are using a specific PKI strategy and whether they are using data loss prevention (DLP) tools. All of the answers to these questions define how your data is protected and the "security maturity level" of your potential cloud provider.

Another element of this question is organization-specific. Based on what industry you are in, there will be some minimum requirements in place that will tell you whether or not you can store your information in a cloud provider's facility. Government organizations, for example, require that data is protected by token-based encryption. If your potential partner cannot come up with that answer, then you will not be moving into that facility.

2. What compliance regulations do you subscribe to?

Given your organization, there may be specific compliance regulations for housing and managing your data. By choosing a cloud provider that already adheres to PCI security standards for credit card transactions or to HIPPA for storing medical records, for example, you are able to ensure that, without question, auditors will find this data to be properly secured.

To be certain you are meeting these regulations, you should be able to request to test these security standards. Any trustworthy cloud provider will gladly allow you set up a vulnerability test on the facility to prove they meet your compliance needs.

You must also, however, be sure to ask whether all of a provider's data centers are meeting these compliance standards. Just because one of the vendor's data centers meets these regulations, doesn't mean that is the case across the board, and you must be certain your data always remains in compliant facilities.

3. How are you storing my data?

Many do not view this as a security question, but understanding the architecture of a virtual or dedicated physical environment and knowing how a provider is going to "build the fortress" is key to knowing that your data is truly secure and ensuring that there is a trusted level of accountability.

In building a secure cloud environment, many believe a private cloud with data residing on dedicated hardware is the safest option. However, there have been many advances in that address the concerns. In particular, VMware with specific third-party solutions, has embedded a holistic approach to security and the network to better segregate and secure the virtual environment.

Virtualization does not mean the same thing to every provider, and "cloud" means different things to different people. Understanding the various models and tech strategies for creating a virtual environment will empower IT decision-makers to weed through the cloud partners to find those that will meet your unique organizational needs. For example, with leading-edge technology from VMware, it is possible to segregate virtual environments on the same hardware, creating a secure, virtual "private cloud" in a mutli-tenant environment. This does not fit the private cloud definition in a traditional sense, but still provides the utmost in security and dedicated resources, ensuring the uptime and availability of their data and applications.

4. Who are the people protecting the fortress?

Even if the brick-and-mortar facilities and elements of logical security are up to standards, it's important to know who will be handling the daily "care and feeding" of your data and applications. You should understand the hiring practices that your cloud partner has in place and what experience the staff has in terms of managing complex IT operations. If a provider's organization and staff has experience both as a consumer and vendor of cloud services, you can be further assured that they can share your perspective and understand what their offering should entail to serve your business needs.

Furthermore, a cloud provider should be able to tell you how often they are testing their staff, to both certify and re-certify the team to ensure best practices are maintained and a sufficient level of technological competence is achieved.

Your cloud partner should be seen as an extension of your IT operations, and you should be able to put a face to this team of skilled professionals protecting your data. Understand the process by which security matters are escalated, and a trustworthy cloud provider will ensure you that in the off chance the cloud were to go down or your data were to be compromised, one of your dedicated team members would have the experience and capability to manage the situation.

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecurityPCI data security standardscloud securityCyberattackprivate cloudIT managementcloud computinginternetPCI DSSvirtualizationTransparent Data Encryptiondata encryptionsecurityCloudcyber-espionagelegalregulatory compliancecybercrimecomplianceTDE

More about DLPMicrosoftOracleVMware Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jose Albino, director of operations and compliance, Hughes Cloud Services

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place