A reader asks: "How can organizations that use cloud services maintain security of customer data?" See our expert's response — and write one of your own.
In a Webinar titled “Cybersecurity Challenges and Solutions,” an attendee had the following question for expert Todd Carpenter:
Q: More and more organizations are using cloud services. How can an organization have security in such an environment?
Todd Carpenter: At the highest level, you should treat your cloud provider like any other part of your supply chain — and that pretty much means with suspicion. Make sure you have the right agreement in place. You’re obviously using them for some advantage, like saving money, but you need to consider the risks as well.
Think about it from this perspective: Who is in the data center at that cloud provider? Do you trust them? Are they bound the same way your own employees are? Would you trust them the same as your own employer? It's another company; they have access to the machines, your data, the backups, and everything else.
Another issue from the networking side is virtual machine to virtual machine attacks. Basically, these cloud machines attack each other, with software that's resident on the same piece of hardware. Most of the typical cloud hypervisors are not trustworthy in this case.
The good side of the cloud: [The services] have high availability, and providers might be able to patch things quickly for you if you're paying for it. Don’t go with “fly-by-night” providers; make sure you’re going with a real one.
But if a breach occurs, who holds liability? You do. That's the first thing you should look at. Read your service-level agreement. The best case: You get free service, but they do not indemnify you, so you own the overall liability. Think about that.
If you do have to use cloud services, my first recommendation is that you store encrypted customer data on it but decrypt it locally. If you're decrypting data on the cloud, you’re giving your customer information to whomever the cloud provider is. You're going to have to figure out how to protect it at that point.
Also: To reduce your liability, don't collect any more data than you need to, or that is appropriate by the type of machine or service you're providing.
Todd Carpenter is the Chief Engineer and Co-Owner of Adventium Labs, based in Minneapolis, MN.
What do you think? What are the best practices for data security?
Share your comments and questions below.
Watch the Webinar: Cybersecurity Challenges and Solutions.