Cloud Security: Is it all Jurisdictional and Audit Issues?

When you read many blogs and articles on cloud security, writers such as myself often mention jurisdictional issues as a big problem.  Nor is the ability to Audit clouds the only problem. Yet both of these are huge issues for clouds today, but fundamentally, is the cloud flawed from a security point of view or are there plenty of security mechanisms available?

The key to cloud security is to consider your data whether that data is in the form of a virtual machine, database entries, files, or short bursts of text that end up in the cloud. So how does one protect data within the cloud, is the real concern. Jurisdictional issues pertain to where your data resides and audit issues pertain to compliance, the real question is can the confidentiality, integrity, and availability of your data be maintained.  While the latest virtualization security podcast covered compliance (video to right), we need to also consider the protections on our data. Which implies we need to fully understand our data.

But the key is what aspect of the data should we understand?

  • We should understand the classification of the data
  • We should understand the risk associated with the data being leaked out
  • We should understand the impact associated with the data being unavailable
  • We should understand the gross structure of the data

There are many other considerations as well, but these I believe at the main ones we need to consider.

The last about the structure of the data is rather interesting as we do not need to understand the intricacies of the data structure, but instead the gross level such as the type of data (virtual disk, database, multi-host data, etc.) as this will tell us which security mechanisms work best and which do not. We also need to understand the impact associated with the data being unavailable, as such we may need to concentrate more on data protection, business continuity over other aspects of security. We need to fully understand the risk associated with the data being leaked, which will also govern which security mechanisms we use. The last item, is classification of the data, and that will tell us another set of tools to use for security.

So everything boils down to protecting the data, not any one construct but all constructs that comprise the data. The requirement to understand the data narrows down the tools required to protect that data. Our tools range from encryption through to firewall controls with a healthy dose of monitoring for anti-malware, anti-virus, and data loss prevention. What it boils down to, is there enough security within the cloud to provide us enough security mechanisms to protect our data using mechanisms that meet the requirements the data drives?

In some ways, I think there is, in others I think there are not. I know the it depends answer is prevalent in this field, but let us delve into this a bit more and look at confidentiality, integrity, and availability.

Can a cloud provide availability? Of course, if they replicate the data between their various data centers. If you require this level of service, you pay a little extra and viola it is grafted onto your cloud instance. In addition, you can regularly pull your data off the cloud and store it locally. Those local data instances, could then be used as part of business continuity and disaster recovery plans.

Can the cloud provide integrity? The cloud by itself cannot but the you can digitally sign all data before it enters the cloud, as well as download and verify your data on a regular basis. Digital signatures are best, but other mechanisms are available. Some clouds, Google Docs, allow you to use digital signing technologies without the bothersome need to download, sign, and then upload a document. Verification, however is another matter.

Can the cloud provide confidentiality? This is where I have the biggest issues. I can definitely encrypt some of my data before it enters the cloud, and I can provide data at rest encryption within a cloud (AFORE Systems). But what eludes most clouds is data in motion encryption. Given this, highly confidential data needs to be encrypted or sanitized before entering the cloud currently.

Trust is a big factor with the cloud as well, you need to TRUST that the cloud administrators will not peer into, modify, or delete your data either inadvertently or maliciously.

Can we monitor the cloud using our security tools? Yes, this can occur depending on the cloud. IaaS and PaaS have definitive mechanisms to monitor themselves, but SaaS clouds are a bit more closed and we are dependent on the mechanisms built into the software. Many clouds include tools from HyTrust, AFORE, Trend Micro, Catbird, Vyatta, and others. As such their dashboards and reports may be available to their tenants.  In addition, these can be implemented within your own Cloud Instance.

Bottom line? For some data sets, the cloud is just fine. For others that require data encryption at all levels there is still a bit more work to go. But we are much closer than we were before. The technology exists, but we still have to trust for some things.

* The travelogue video was produced by Lars Troen

Leave a Reply

2 Comments on "Cloud Security: Is it all Jurisdictional and Audit Issues?"

Sort by:   newest | oldest | most voted
Very nice post, and increasingly relevant, particularly in light of the recently proposed EU changes regarding privacy. One important nit I’d like to pick, however. You state: Jurisdictional issues pertain to where your data resides and audit issues pertain to compliance, the real question is can the confidentiality, integrity, and availability of your data be maintained. I’ve been engaged for the past few years in issues surrounding jurisdiction, and note that it’s NOT only where your data resides. We tend to conflate the notion of jurisdiction with geography (the ‘where’) out of old habits. Jurisdiction has to do with who… Read more »
Hello Rich, I agree that the definition of Jurisdiction is somewhat up in the air and depends much more than just location. However, location is nearly always included in current discussions and is a pretty good starting point. Stewardship is definitely one question, but according to current law where does the steward come in during standard network traffic to and from the stewards location? I.e. are the stewards responsible if traffic is suddenly routed through another foreign entity with no treaty with the steward’s current country? Since Jurisdiction breaks down to treaties can we ever fully remove location from the… Read more »