Can I Trust the Cloud with My Data Security?
The scope of the challenge
Every passing day seems to bring word of another data breach. A million identities lost here, ten million there…it almost seems like institutional and corporate entities have opened the doors to their vaults and data is pouring out. This month brings the news that the Home Depot payment card breach involved 56 million accounts, second only to the 2007 TJ Maxx breach involving 90 million accounts.
The problem is not limited to large entities, nor financial data. Health data is now a common target as well. The Identity Theft Resource Center reported that in 2014, as of September 16, 546 breaches had been reported in the US, listing a total of 19 million records exposed. At the time of that report, the size of the Home Depot breach had not been determined, and therefore was not included in that total. Why have these breaches received so much interest in the media, in what is a very complex problem As Don Henley sings in Dirty Laundry
I make my living off the Evening News, just give me somethin’, somethin’ I can use, people love it when you lose, they love dirty laundry.
It’s news, it’s hard to understand, and it sells! However, data loss is a real and continuing problem.
A primer on hacking and malware
Understanding more about the data safety helps you know where to place your concern. To help us gain better insights into data safety, we need to understand more about challenges in computer security. Building this knowledge base helps you to more reasonably evaluate the risks of data storage and access.
Going back in history, autonomous software (with purposes of its own) has been a discussion since John von Neumann lectured on the subject in December of 1949. There is much misinformation in the popular press, and even among those who have some knowledge, imprecise use of terminology exacerbates the confusion. Generally speaking, all malicious software (software that has a purpose not agreed upon by the user of the software) can be termed malware. However, within that universe, malware has a wide variety of technical approaches and impacts. The term virus has become a catch-all phrase for most all malware, but really describes a very specific type of malware. A simplified technical taxonomy of malware is presented below:
- Virus – malware that modifies other executable programs in the computer system, inserting copies of itself into those programs. Typically requires exposure to an infected program (running that program on a computer) to allow the infection to spread; follows the biological metaphor. Like a biological system, an infected program does not appear visibly ill and is able to easily pass to another system during the incubation period before its purpose becomes obvious.
- Worm – malware that once running on a connected system in a network, probes systems connected on that network looking for places where it can load and run itself.
- Trojan – malware that follows the modus operandi of the historical Trojan Horse. It purports to have one purpose, but when “pulled inside the gates” (the program is run by the unsuspecting user), it actually launches its payload.
So far, we’ve not addressed the reason for the existence of malware and unauthorized system access (hacking). Initially, most malware was created as a game, out of curiosity to see if could be done. Likewise, early defacement of websites or unauthorized retrieval of information from systems was often done to show that it could be done, without efforts to monetize result. However, as money flowed to the Internet with its commercialization in the mid 1990’s, motive began to shift to profit. An interesting perspective on this trend is provided in the book Fatal System Error by Joseph Menn.
So what does all this mean? It means that your data is a target, wherever it is.
My data’s safer if I keep it on MY systems…isn’t it?
Your data may be safe on systems you control or manage, or it may not. That’s the fundamental challenge with data security — risks are everywhere. The struggle is for us to separate the legitimate concerns from irrational Fear, Uncertainty, and Doubt (FUD) about data storage, and to understand what measures should be taken to mitigate risk.
Virtually all computing devices today are connected to a routed network, and thus to the Internet. Only specialized security-focused networks or those that are so geographically isolated that they cannot connect to other networks are “islands” with no further connectivity. This is important to acknowledge, since this the vector used most malware. Exactly how this happens is something we’ll develop later. For now, understand that if your computer is connected to the Internet, it’s exposed. A widely cited, unattributed aphorism states, “The only truly secure computer is one buried in concrete, with the power turned off, and the network cable cut.” With today’s ubiquitous wireless networking, this perhaps should be updated to add that the whole concrete-encased computer should be enclosed in a Faraday Cage. Of course, sometimes even precautions similar to these can be breached, as the case of the Stuxnet malware showed us — but that’s a story for another day.
Before we go further, let’s think about what the cloud is, and what it means to think about using it for data storage. Simply stated, cloud computing is to leverage resources (such as applications and data) that are on a connected computer or group of computers which are remote from the user. See the article Cloud-based Integration of the Educational Enterprise in this blog for a further description of the history and development of cloud computing. For our purposes today, we should think of cloud storage of data as that data residing on system(s) remote from the user, and in particular where those systems are operated by a organization in the business of keeping such data for others.
Now that we can consider both local and cloud-based systems with a more objective eye, it’s time to talk about risks. True risks to data start from lax maintenance of both servers and workstations. Most people inherently think of the risk to servers, but in reality, the metaphorical “soft underbelly” is the workstation used to access the server. In high security installations, such as those dealing with health care information subject to HIPAA regulations, end users must employ dedicated workstations that do not have access to the open Internet in order to access data. A workstation used for data access from 8AM to noon, but used for shopping and web surfing at lunch exposes the afternoon’s work (and every workday hence) to any malware picked up at lunch. The reality is actually even more insidious. Not only is personal surfing at breaks and lunch a danger, work-related research and other activities are just as dangerous. Symantec says that in 2013 approximately 67 percent of websites used to distribute malware were identified as legitimate, compromised websites. The list of commercial, educational, and governmental sites that have at one point been compromised and served malware is quite lengthy. While browser vulnerabilities were down in number in 2013, hundreds of vulnerabilities contributing to drive-by attacks were spread across all major browsers. Social engineering attacks, and especially targeted attacks, known as phishing, and spear-phishing, respectively, are becoming more common as browser vendors work diligently to patch vulnerabilities. Why are such attacks so problematic for data security? Simply put, once malware executes on a workstation, it has access to any data and services that its logged-on user can access, regardless of whether or not the server containing that data is compromised.
As you consider the safety of your data, whether on your local workstation, a network server, or at a cloud provider, it’s important to think about your computing practices and environment for workstations and servers. What type of network access and workstation segregation do you employ? Are your applications and operating systems fully patched and up-to-date? Do you employ firewalls? Do you monitor network and firewall logs? Do you have dedicated security staff who perform these functions?
So, then, is a cloud service inherently less secure than a network-attached server, locally hosted and managed by your organization? Both are network-connected and thus exposed to the same external threats (careful network configuration can mitigate exposure for your local server). Both require the same types of maintenance and monitoring. Cloud infrastructure providers are increasingly obtaining audited certifications of their policies and procedures documenting issues such as maintenance and monitoring (certifications such as ISO 270001/270002, PCI level 1, and SSAE 16 are becoming common). Cloud providers will also sign HIPAA Business Associate Agreements (BAAs), which holds provider to a very high standard. In making a comparison that doesn’t use Fear, Uncertainty, and Doubt, it’s important to objectively consider not only what is offered by cloud service providers, but to also hold your internal organization to the same high standards to which the cloud service providers are holding themselves.
N2N’s Integration Cloud and security
N2N Services embraces cloud-based solutions for its service and product offerings. It starts with a responsive, flexible, reliable and secure cloud infrastructure platform (Amazon Web Services). Amazon has obtained many compliance statements that speak to the practices it uses to manage its Amazon Web Services (AWS) offerings. N2N builds its solution on that foundation. N2N’s professional systems administration team works to keep connections to this environment secure, leveraging Virtual Private Network (VPN) technology to create a secure tunnel between the N2N client’s site and the AWS environment.
So, we return to our original question, “Can I trust the cloud with my data?” The answer, as we’ve seen, is a qualified yes, but that’s the same as the answer to the corollary question, “Can I trust my local system with my data?” What matters, in the end, is the framework of policies, procedures and practices around information security and the degree to which an organization adheres to that framework, not the location of the data.
Please contact us if you would like to hear more about N2N’s service offerings or to have a consultation on information security.