Today’s cloud-based approach to development allows companies to provision pay-as-you-go, rapidly scalable applications in order to reach the market quickly. It’s a race – with companies competing to add applications for their customers before their competitors do. In this environment developers leverage available APIs, third party plug-ins, containers, microservices, and new tool chains, but are they taking the steps needed to secure the data?
In the cloud, we see similar types of storage for commercial and personal data which we’ve seen in on-premises IT infrastructures. It’s a combination of structured databases, file storage and unstructured data. Much of the cloud data is stored in relatively low cost object storage, such as Amazon’s S3, Microsoft Azure storage including Blob storage, Google Cloud Storage (GCP) and Microsoft IBM Cloud Object Storage. Cloud vendors also offer storage options tailored to emerging requirements such as data lake storage.
The object storage architecture, where data is managed as objects rather than a file hierarchy or as blocks, sectors or tracks in block storage, is very efficient and basically infinitely scalable, transparently growing as you need it. Also, an object store or “bucket” is only accessible through a web protocol (HTTP) and a defined application programming interface (API), and therefore separated from your local network for additional security and resiliency.
And when compared to traditional storage architectures, object storage is cost-effective, especially when leveraging public cloud tiered pricing. In addition, the option of using a public cloud can help move the cost of local storage from a capital expense (CAPEX) to operational (OPEX).
Public reports concerning large amounts of openly available data in misconfigured buckets have many organizations still wary of storing their data within a public cloud environment. And although there has been a noticeable focus by cloud service providers (CSP) on security, there remains a shared responsibility relationship where the CSP is responsible for the security “of” the cloud (primarily compute, storage and networking), while the customer is responsible for security “in” the cloud (data and patches). It’s crucial that organizations can limit the access, use or modification of their critical data, since CSP administrators need access to IaaS servers and object storage disks to support daily operations.
We believe that a more comprehensive and planned approach is needed to make sure that data is protected. This is especially true with the emergence of Security Compliance regulations – such as GDPR, California Consumer Privacy Act, and others – which seek to enforce rules on how personal data is protected, regardless of where it’s stored.
Don’t leave security up to your cloud provider. This is like renting a bank vault and then leaving the keys with someone at the bank. Managing the keys is, well, the key to security. Just recently we’ve seen the story of Quadrigacx in Canada where a single person controlled keys to many cryptocurrency accounts, and then he unfortunately passed away. Experts are unsure if those accounts will ever be recovered, leaving the company insolvent and a loss of $145 million. It’s an unusual story, different than losing data in that the losses can be so easily quantified, but it’s informative of the risks of improper key control.
At SecurityFirst we use multiple, hierarchical keys structured to improve flexibility and security of your data, and allowing you to keep management of keys under your control. You can use an HSM (Hardware Security Module) if you choose, and extend a unified blanked of protection across all data types including object data, and regardless of where the data is stored. You shouldn’t have to manage a different solution for object data.
SecurityFirst has sponsored a study conducted by Ponemon, LLC , that looked into the adoption of on-premises and cloud-based object storage to understand what data organizations are committing to these resources, their motivations for doing so, and their beliefs and practices regarding its security. The report will be available on the SecurityFirst website, and we hope you will join us for the associated webinar when Dr. Larry Ponemon will present the specific findings