Achieving Secure Storage in the Cloud
For many years now, the encryption of data within the enterprise has been a standard requirement. More recently, however, organizations that have begun outsourcing various IT resources to the cloud have begun to discover that the established techniques for securing data that they have relied upon for so long are inadequate in a cloud environment. In this article, I will explain why this is the case and what you can do to make data stored in the cloud more secure.
Storage Security vs. Transport Security
Regardless of whether an organization stores data locally or in the cloud, there are two main fronts in the battle to protect that data. Data must be protected when it is at rest, and when it is in motion.
Protecting data that is at rest falls into the realm of storage level security. Simply put, a mechanism such as file-level encryption or volume level encryption needs to be used to prevent unauthorized access to the data.
Protecting data in motion refers to safeguarding data that is being sent across the wire. This is completely different from storage encryption. When a user attempts to access data from an encrypted volume over a network there are processes that occur to ensure that the user has the necessary rights (these processes vary widely depending on the type of encryption that is being used). Assuming that the user has the necessary permissions, the requested file is decrypted and sent to the user. Often times, however, the decryption process occurs before the file is sent across the wire, leaving the data vulnerable to packet sniffing attacks.
The only way to adequately protect your data is to provide storage encryption and transport encryption. In a cloud environment, transport encryption is almost an afterthought. Pretty much all cloud service providers provide transport-level encryption as a standard feature whether it be HTTPS, TLS, IPSec, or something else. However, cloud service providers often provide minimal protection for stored data, shifting the burden of storage security to cloud subscribers.
Don’t get me wrong. I’m not saying that cloud providers don’t do anything to protect stored data. However, the degree of protection that is provided depends on what type of cloud is being used (SaaS, IaaS, PaaS, etc.), and on which company is providing the service.
Software as a Service
When it comes to secure storage within the cloud, Software as a Service (SaaS) is the type of cloud that generally provides the fewest security options. As I’m sure you know, the idea behind SaaS is that you can run applications in the cloud (often through a Web browser) rather than installing the application locally.
At first it may seem as though storage would not even come into the picture for SAAS clouds, but often times SaaS providers require you to store application data with them. For example, Microsoft Office 365 includes a cloud-based version of Exchange Server. Organizations who decide to use this use the hosted Exchange component have no choice but to store mailbox data within an Exchange Server database that resides in the cloud.
Some SaaS providers do allow you to store data locally, but doing so isn’t usually the default behavior for such applications. For instance, Google Docs will allow you to store document files on your own computer (or network file share), but the default behavior is for documents to be saved to the cloud.
When you subscribe to a SaaS cloud, there isn’t normally going to be any kind of settings that you can tune to make data storage more secure. You are at the cloud provider’s mercy to store your data in a secure manner. As such, the key to protecting your data is to ask the provider detailed questions about their security before you sign up for the service.
My experience has been that a SaaS provider will give you some information about their security measures, but won’t go into great detail because disclosing too much information about security practices constitutes a security risk. For example, a provider may tell you that they use file system encryption and they might even go so far as to tell you that their encryption is based on 256-bit AES, but a security-conscious provider won’t tell you what kind of mechanism is being used to facilitate the encryption. Keep in mind, however, that if a provider can’t (or won’t) give you enough information to assure you that your data truly is secure then nobody is forcing you to run the application in the cloud. You might be able to install the application locally instead or use a competing service.
Infrastructure as a Service
Although SaaS clouds don’t usually give you many options for protecting stored data, IaaS clouds provide organizations with a much higher degree of control. For the benefit of anyone who may not be familiar with IaaS, it is essentially an environment in which organizations are able to create infrastructure components in a manner similar to what would be done locally. IaaS clouds typically allow administrators to create, configure, and manage virtual servers through a Web interface. Aside from the fact that these servers exist in the cloud, they are practically identical to the infrastructure servers that you might deploy on premises.
Organizations that store data on a virtual server in an IaaS cloud must usually take responsibility for securing their own data. Sure, the cloud provider has firewalls in place as well as a few other basic security mechanisms, but it is important to remember that these mechanisms usually exist as a way of protecting the cloud service provider’s infrastructure rather than guaranteeing that subscribers receive top notch security.
Any organization that stores data on a server in an IaaS cloud must take measures to prevent data leakage. Simply put, you need to make sure that no one is allowed to access your data without the proper authorization. In order to achieve this goal, you need to understand a little bit about how your data is actually stored and what the risks are that could potentially result in data leakage.
Unlike a traditional enterprise datacenter, cloud service providers are multi-tenant, meaning that cloud providers are able to keep their rates low because servers are shared among multiple subscribers. Of course, this doesn’t mean that each subscriber has access to every other subscriber’s data. The cloud provider puts boundaries in place to ensure that each subscriber is only able to access their own data.
Even so, the very fact that cloud data centers are multi-tenant lends itself to the possibility of data exposure. Imagine for example that you subscribe to an IaaS host and set up a cloud-based file server. The server that you create is actually a virtual machine (usually running on VMware) that is linked to a SAN, which provides the actual storage. Now imagine that later on, you decide that you want to bring all of your data back in-house. You move the data and delete the virtual file server. What happens to your data?
Presumably, when you get rid of the virtual machine its virtual hard drives are removed as well. At that point, however, the space that was previously occupied by your data is available for use by any of the cloud service provider’s other subscribers. Therefore, imagine that someone with bad intent opens up an account with the cloud provider and creates their own virtual server. In an IaaS environment, there is nothing stopping this person from performing a block-level scan of their virtual hard drives to see if any of the previous subscriber’s data still exists.
The lesson here is that whenever you decommission a virtual machine, you should perform a secure format on all of its data volumes prior to deleting the machine. However, performing a secure format alone does not fully address this issue. After all, cloud providers routinely replace hard drives as they fail or as the provider requires additional capacity. Unless a cloud provider physically destroys their old drives there is a chance that the data on those drives could fall into the wrong hands.
One way that you can prevent the leakage of your data in these types of situations is to encrypt all of the data on the virtual hard drive. There are several options for doing so. For instance, you could use NTFS encryption if you are only interested in encrypting specific folders. Another option is to use BitLocker encryption to encrypt an entire volume. Of course, there are also a number of third-party encryption products, and some IaaS providers even offer hardware level encryption of virtual hard drive files.
Who Can Access Your Data?
It is easy to think of secure storage solely in terms of preventing unauthorized access to the storage medium containing your data, but believe it or not, you also need to be concerned about your data being accessed by those who have the proper authorization. This might include the cloud service provider’s staff or even law enforcement.
One of the big problems with cloud services is that the cloud service provider’s data center could physically reside anywhere in the world. For example, I live in the United States, but some of my data reside on a server in the United Kingdom.
Having your data stored on a server that’s halfway around the world isn’t a problem in and of itself. The problem is that different countries have very different privacy laws. Some countries may have laws that allow the authorities to inspect (or even seize) your data at will. Likewise, there are undoubtedly countries in which it is legal for the cloud service provider’s employees to access your data.
The best advice that I can give you is to avoid cloud providers who house data in third world countries with dubious privacy laws. You should also watch out for providers that are based in one country, but who operate datacenters in a different country. Situations like these can make it difficult to determine which country’s laws take precedence when it comes to protecting your data.
Regardless of where a cloud service provider’s datacenter is physically located, however, it is critically important to read the service provider’s privacy policy and their service contract. These documents will tell you exactly what you can expect from the service provider and how they are allowed to use your data. You might be surprised by what is in the service contract.
When cloud computing first started to be offered, there was one provider whose service contract actually stated that any data that you store in the cloud becomes the provider’s legal property. Whenever a subscriber would try to cancel their service contract, the service provider would threaten to delete their data. Even though this provider went out of business a few years ago, there may be other providers who would attempt similar practices.
Backing Your Data Up
I have read articles and blog posts that have suggested that everyone needs to move all of their data to the cloud so that they no longer have to worry about the hassles of backing that data up. However, you can’t just assume that all of your cloud data is being backed up unless backups are guaranteed in writing as a part of the service level agreement.
As a general rule SaaS providers will back up your cloud data for you, but those operating in an IaaS cloud are usually responsible for their own backups (although some providers will back everything up for you for an additional fee). Remember, if you subscribe to an IaaS cloud then all you are really doing is leasing server resources. What you do with those resources is up to you, and it is your responsibility to come up with a plan for backing up data that is stored in an IaaS cloud. I have actually heard stories of some organizations backing up data from an IaaS cloud to a SaaS-based backup service.
Final Thoughts on Cloud Models
As you can see, there are different requirements for securing data depending on which cloud model is being used. Keep in mind, however, that cloud services are not an all or nothing proposition. In the real world, it is becoming increasingly more common for organizations to subscribe to multiple clouds of varying types from multiple service providers. As such, you may have to use several different methods to protect your cloud data.
About Parallels Remote Application Server (RAS)
Parallels® RAS offers tailor-made, easy-to-implement and cost-effective server based and virtual computing solutions. With their trademark affordability and simplicity, as well as the single licensing model, Parallels RAS unlocks the full potential of virtualization platforms by improving desktop manageability, security and performance. Download a 30-day trial.