Analysts recommend that enterprises should first develop a data security plan that addresses six security issues. Failure to do so, they say, could add cost and complexity to the adoption of cloud computing without addressing the fundamental issues of data privacy and long-term security and resiliency.
1. Breach notification and data residency
Not all data requires equal protection, so businesses should categorize data intended for cloud storage and identify any compliance requirements in relation to data breach notification or if data may not be stored in other jurisdictions.
2. Data management at rest
Businesses should ask specific questions to determine the cloud service provider’s (CSP's) data storage life cycle and security policy. Businesses should find out if:
2.1 Multitenant storage is being used, and if it is, find out what separation mechanism is being used between tenants.
2.2 Mechanisms such as tagging are used to prevent data being replicated to specific countries or regions.
2.3 Storage used for archive and backup is encrypted and if the key management strategy include a strong identity and access management policy to restrict access within certain jurisdictions.
3. Data protection in motion
As a minimum requirement, Gartner recommends that businesses ensure that the CSP will support secure communication protocols such as SSL/TLS for browser access or VPN-based connections for system access for protected access to their services.
The research note says that businesses always encrypt sensitive data in motion to the cloud, but if data is unencrypted while in use or storage, it will be incumbent on the enterprise to mitigate against data breaches.
4. Encryption key management
Enterprises should always aim to manage the encryption keys, but if they are managed by a
cloud encryption provider, Gartner says they must ensure access management controls are in place that will satisfy breach notification requirements and data residency.
If keys are managed by the CSP, then businesses should require hardware-based key management systems within a tightly defined and managed set of key management processes.
When keys are managed or available in the cloud, Gartner says it is imperative that the vendor provides tight control and monitoring of potential snapshots of live workloads to prevent the risk of analysing
the memory contents to obtain the key.
5. Access controls
The enterprise should demand that the encryption provider offer adequate user access and administrative controls, stronger authentication alternatives such as two-factor authentication, management of access permissions, and separation of administrative duties such as security, network and maintenance. Businesses should also require:
5.1 Logging of all user and administrator access to cloud resources, and provide these logs to the enterprise in a format suitable for log management or security information and event management systems.
5.2 The CSP to restrict access to sensitive system management tools that might "snapshot" a live workload, perform data migration, or back up and recover data.
5.3 That images captured by migration or snapshotting tools are treated with the same security as other sensitive enterprise data.
6. Longterm resiliency the encryption system
Gartner recommends that businesses understand the impact on applications and database indexing, searching and sorting. They should pay specific attention to advanced searching capabilities, such as substring matching functions and wildcarding such as "contains" or "ends with".
