Achieving Secure Storage in the Cloud
- By Brien M. Posey
- Jun 01, 2011
For many years now, data encryption has been a standard requirement for enterprises. More recently, however, organizations that have outsourced some IT resources to the cloud have discovered that the techniques they have relied upon for securing data are inadequate in a cloud environment.
Storage Security vs. Transport Security
Regardless of whether an organization stores data locally or in the cloud, there are two fronts in the battle to protect it: when it is at rest and when it is in motion.
Protecting at-rest data falls in the realm of storage-level security. That is, enterprises must encrypt their assets at the file level or at the volume level to prevent unauthorized access.
Protecting data in motion refers to safeguarding data that is being transferred, which is quite different from storage encryption. With this type of encryption, the software determines whether a user attempting to access encrypted files over a network has the necessary rights to access those files (these processes vary widely depending on the type of encryption used). If the end user has the necessary permissions, the requested file is decrypted and transferred. The decryption process often occurs before the file is sent across the wire, however, leaving the data vulnerable to “packet-sniffing” attacks, which “listen in” to network traffic and copy targeted packets of data, often those that contain such key words as “password” or “login.”
So the only way to protect enterprise data adequately is to provide storage and transport encryption. In a cloud environment, transport encryption is often almost an afterthought. Pretty much all cloud service providers provide transport-level encryption as a standard feature—HTTPS, TLS or IPSec, for example. But these service providers often provide only minimal protection for stored data, shifting the burden of storage security to cloud subscribers.
It’s not that cloud providers don’t do anything to protect stored data; rather, the degree of protection depends on the type of cloud an enterprise is using—Software as a Service (SaaS), Infrastructure as a Service (IaaS) or Platform as a Service (PaaS)— and on which company provides the service.
Software as a Service
When it comes to secure storage within the cloud, SaaS generally provides the fewest security options. As I’m sure you know, the idea behind SaaS is that you can run applications in the cloud— often through a Web browser—rather than installing the application locally.
At first it may seem as though storage would not even come into the picture for SaaS clouds, but providers often require you to store application data with them. For example, Microsoft Office 365 includes a cloud-based version of Exchange Server. Organizations that use this hosted-exchange component have no choice but to store mailbox data within an Exchange Server database that resides in the cloud.
Some SaaS providers do allow you to store data locally, but doing so isn’t usually an application’s default behavior. For instance, Google Docs will allow you to store document files on your own computer—or network file share—but the default is saving to cloud.
When you subscribe to an SaaS cloud, there are normally not any settings you can tune to make data storage more secure. You are at the cloud-provider’s mercy to store your data in a secure manner. As such, the key to protecting your data is to ask the provider detailed questions about its security before you sign up for the service.
My experience has been that an SaaS provider will give you some information about security measures, but it won’t go into great detail because disclosing too much information about security practices would constitute a security risk. For example, a provider may tell you that it uses file-level encryption and might even go so far as to tell you that it is based on 256-bit AES, but a security-conscious provider won’t tell you what kind of mechanism is being used to facilitate the encryption. Keep in mind, however, that if a provider can’t (or won’t) give you enough information to ensure you your data is secure, then nobody is forcing you to run the application in the cloud. You might be able to install the application locally instead or use a competing service.
Infrastructure as a Service
Although SaaS clouds don’t usually give you many options for protecting stored data, IaaS clouds provide organizations with a much higher degree of control. For the benefit of anyone who may not be familiar with IaaS, it is essentially an environment in which organizations are able to create infrastructure components in a manner similar to what would be done locally. IaaS clouds typically allow administrators to create, configure and manage virtual servers through a Web interface. Aside from the fact that these servers exist in the cloud, they are practically identical to the infrastructure servers that you might deploy on the premises.
Organizations that store data on a virtual server in an IaaS cloud usually must take responsibility for securing their own data. Sure, the cloud provider has firewalls in place, as well as a few other basic security mechanisms, but it is important to remember that these mechanisms usually exist as a way of protecting the service-provider’s infrastructure rather than guaranteeing that subscribers receive top-notch security.
Any organization that stores data on a server in an IaaS cloud must take measures to prevent data leakage. Simply put, you need to make sure that no one is allowed to access your data without the proper authorization. In order to achieve this goal, you need to understand a little bit about how your data is actually stored and your risks factors for data leakage.
Unlike a traditional enterprise datacenter, cloud service providers are multi-tenant, meaning cloud providers are able to keep their rates low because servers are shared among multiple subscribers. Of course this doesn’t mean that each subscriber has access to every other subscriber’s data. The cloud provider puts boundaries in place to ensure that each subscriber is able to access only his or her own data.
Even so, the very fact that cloud data centers are multi-tenant lends itself to the possibility of data exposure. Imagine for example that you subscribe to an IaaS host and set up a cloudbased file server. The server that you create is actually a virtual machine—usually running on VMware—linked to a SAN that provides the actual storage. Now imagine that later on you decide you want to bring all your data back in-house. You move the data and delete the virtual file server. What happens to your data?
Presumably, when you get rid of the virtual machine, its virtual hard drives are removed as well. At that point, however, any of the cloud service provider’s other subscribers can use the space that your data previously occupied. Imagine that someone with bad intention opens up an account with the cloud provider and creates his own virtual server. In an IaaS environment, there is nothing stopping this person from performing a block-level scan of his virtual hard drives to see if any of the previous subscriber’s data still exists.
The lesson here is that whenever you decommission a virtual machine, you should perform a secure format on all of its data volumes before deleting the machine. But this alone does not fully address this issue—after all, cloud providers routinely replace hard drives as they fail or as the provider requires additional capacity. Unless a cloud provider physically destroys its old drives, there is a chance that the data on those drives could fall into the wrong hands.
One way that you can prevent the leakage of your data in these types of situations is to encrypt all of the data on the virtual hard drive. There are several options for doing so. You could use NTFS encryption if you are interested in encrypting only specific folders. Another option is to use BitLocker encryption to encrypt an entire volume. You could also use any number of third-party encryption products, and some IaaS providers even offer hardware- level encryption of virtual hard drive files.
Who Can Access Your Data?
It is easy to think of secure storage solely in terms of preventing unauthorized access to the storage medium containing your data, but you also need to be concerned about those without proper authorization accessing your data. This might include the cloud service provider’s staff or even law enforcement.
One of the big problems with cloud services is that the cloud service provider’s data center could physically reside anywhere in the world. For example, I live in the United States, but some of my data resides on a server in the United Kingdom.
Having your data stored on a server that’s halfway around the world isn’t a problem in and of itself. The problem is that different countries have different privacy laws. Some countries may have laws that allow the authorities to inspect—or even seize—your data at will. Likewise, there are undoubtedly countries where it is legal for the cloud service provider’s employees to access your data.
The best advice I can give you is to avoid cloud providers who house data in third-world countries with dubious privacy laws. You also should watch out for providers that are based in one country but operate datacenters in a different country. Situations like these can make it difficult to determine which country’s laws take precedence when it comes to protecting your data.
Regardless of where a cloud service provider’s datacenter is physically located, it is critical that you read the service provider’s privacy policy and its service contract. These documents will tell you exactly what you can expect from the service provider and how it is allowed to use your data. You might be surprised by what is in the service contract.
When cloud computing was first offered, one provider’s service contract actually stated that any data its customers stored in the cloud became the provider’s legal property. Whenever a subscriber would try to cancel his service contract, the service provider would threaten to delete the data. Even though this provider went out of business a few years ago, other providers may attempt similar practices.
Backing Up Your Data
I have read articles and blog posts suggesting that everyone should move all their data to the cloud so they no longer have to worry about the hassles of backing the data up. However, you can’t assume that all of your cloud data is being backed up unless backups are guaranteed in writing as a part of the service-level agreement.
As a general rule, SaaS providers will back up your cloud data for you, but those enterprises operating in an IaaS cloud are usually responsible for their own backups—although some providers will back everything up for you for an additional fee. Remember, if you subscribe to an IaaS cloud, then you are really only leasing server resources. What you do with those resources is up to you. I have actually heard stories of some organizations backing up data from an IaaS cloud to an SaaS-based backup service.
As you can see, there are different requirements for securing data depending on which cloud model you use. Keep in mind, however, that cloud services are not an all-or-nothing proposition. In the real world, it is becoming increasingly common for organizations to subscribe to multiple clouds of varying types from multiple service providers. As such, you may have to use several different methods to protect your cloud data.
This article originally appeared in the June 2011 issue of Network-Centric Security.