Information lifecycle in the cloud
Another critical element of data protection in the cloud involves the data lifecycle. Whether data is encrypted or not, customers should have a clearly defined data lifecycle, and ensure CSPs can maintain and support this, especially in the case of a business failure or other critical situation that could expose sensitive information. A reasonable lifecycle approach should include the following:
- Retention: CSPs should state how long they retain data that relates to customer instances and applications. In many cases, this may be log data or other related information that potentially contains sensitive details about customer activities.
- Disposal: Under what circumstances do CSPs dispose of customer data? If the CSP goes out of business, or some other unusual scenario comes to fruition, contractual language should protect the customer by stating that CSPs will dispose of data in a secure manner. This may consist of destroying physical drives or using degaussing or disk wiping software.
- Classification: Data classification can be simple to define, yet challenging to implement. For sensitive data within a cloud environment, organizations may want to ensure the data is appropriately segmented by using dedicated hypervisor platforms or systems versus traditional multitenant scenarios. Most providers offer virtual private clouds or standalone cloud servers for an additional cost, and this may be the best option for highly sensitive data.
DLP in the cloud
Data loss prevention is another common data protection technology that may require adaptation for virtualized and cloud environments. Following are several key considerations related to cloud DLP:
- Policy and monitoring: Host- and network-based DLP products need to fingerprint sensitive data before they’ll be capable of detecting and preventing potential breaches. For customers who employ host-based DLP agents, software agents with a pre-existing policy can run on virtual machines in the cloud as long as the agent can communicate with policy and alerting systems. Network-based DLP may not translate effectively to a public cloud in any sense, as any monitoring tools in a CSP environment would need to be tuned to each customer’s data types and usage patterns. In a private cloud, and potentially in a hybrid cloud, DLP policies and monitoring can likely operate normally, as long as the DLP technology is compatible with the virtualization platforms in use. Most major DLP product vendors, including McAfee and Symantec, support DLP agents on virtual machines. Network monitoring may require some architecture redesign, however, to ensure traffic from virtual switches is supported. Some providers such as Trend Micro and Palisade Systems offer DLP virtual appliances that can integrate into virtualized networks.
- Incident detection and management: One challenge with cloud-based DLP is the need to tightly integrate into an incident response program. Many CSPs do not provide in-house incident response services for customers, and others may not be able to adequately support event notification service-level agreements (SLAs) that trigger customer’s incident response programs internally. This means any DLP detection or prevention actions taken in the cloud, most likely from a software agent on IaaS-hosted virtual machines, may not quickly lead to investigations from either CSP or customer IR teams.
- Provider DLP Controls: Technologies such as Websense Cloud DLP are attempting to integrate traditional DLP policies and monitoring with SaaS cloud solutions such as Salesforce.com, as well as PaaS and IaaS cloud options such as Azure and AWS. Cloud-based security service providers like Zscaler are offering DLP services specific to its hosted email and Web analysis services, which may be a good option for customers looking to outsource DLP entirely. Unfortunately, major CSPs do not offer robust DLP options that are the equivalent of customers’ in-house DLP today. Another point to consider is the internal CSP controls (including DLP), given the potential access to customer data and systems by CSP staff. For this, look to a CSP’s SAS 70 or SSAE 16 report on internal controls to ensure DLP or other protective technologies are in place internally.
Cloud computing data protection technology challenges to consider
Within virtualized environments, numerous virtual machines are housed on a single physical system, a condition known as multi-tenancy. The hypervisor software is responsible for maintaining segmentation and isolation between virtual machines. This can be augmented with open source or commercial virtual network and virtual security appliances or add-ons. However, there are still challenges to traditional security best practices that stem from multi-tenancy, such as separation of duties and system segregation.
Policy: Different virtual systems and data sets may have widely differing classifications and sensitivity levels. To ensure the proper security policy is applied to sensitive data, systems, and applications that store or process this data are often kept physically separate from others. However, in a multi-tenant environment such as the cloud, this may not be feasible. In addition, ensuring internal policies related to data handling and access control may be difficult when migrating systems and applications to a cloud provider. This can be a problem when integrating public cloud services to an existing private cloud (a hybrid cloud scenario), as well as during a wholesale migration of data and systems to a public cloud environment.
Encryption: Encryption can be challenging to implement internally due to key management and maintenance, performance issues, and access controls. Extending internal encryption platforms and capabilities into the cloud can seem daunting at best. For example, how will administrators manage encryption keys for data and systems in the cloud? When encryption keys need to be generated or revoked, how can this easily be accomplished for resources hosted elsewhere? Will cloud service providers (CSPs) need access to keys, and what kinds of risk will this introduce? For hybrid clouds, handling encryption may be less of an issue, but moving to a public cloud may pose significant challenges.
DLP: Data loss prevention (DLP) requires a number of distinct technologies and processes to be effective. First, sensitive data needs to be fingerprinted so DLP monitoring tools can recognize the data based on string matching, file types and other attributes. Second, a centralized policy creation and implementation infrastructure needs to be in place to push policy to DLP monitoring tools, and these monitoring tools need to be in place to inspect traffic on network segments and critical host systems alike. Finally, quarantine and response measures should be implemented to take a variety of actions when a potential policy violation is detected. Implementing this in virtualized environments may be problematic due to resource constraints that result from installation of DLP software agents, or lack of virtualization integration options. Extending DLP to a CSP infrastructure may be difficult, especially in a multi-tenant environment where granular data protection policies are not available.
Monitoring: Security monitoring techniques using intrusion detection, network flow analysis tools, and host-based agents are common in internal data centers. However, ensuring systems are properly monitored in the cloud is a different story. In many cases, cloud providers may not allow or support advanced monitoring technologies or processes, although some may offer this as a service.