Security in the cloud is a topic that gets a lot of attention, and I had the chance to talk with David Canellos, CEO of cloud security company PerspecSys, to discuss how companies can do a better job of making sure the data in the cloud is secure.
Yet, his very first statement showed that we can't just focus on security within the cloud, but that data privacy and residency also need to be considered. He told me:
Companies need to determine what data needs to be protected in the cloud, how sensitive it is, and to what degree it needs to be protected. For instance, for companies in the healthcare industry, protected health information (PHI) is incredibly sensitive data that should be encrypted when it is stored or processed in the cloud. In fact, for strictly regulated industries such as healthcare, retail, finance and government, sensitive data often isn't allowed to leave an organization in "the clear."
But we still need to think about security, primarily how can you ensure that your data can't be accessed in the cloud. Canellos said that encryption is a good idea, but encryption can be broken by diligent hackers. Tokenization, he said, may be a better option, as tokens stored in the cloud have absolutely no decipherable patterns or ties to the data they represent, and thus, even if accessed by hackers, mean nothing.
One issue of cloud security that interests me is how, exactly, it differs from security on the traditional network. So I asked Canellos that. He said:
The most important difference between cloud and regular network security threats is the sheer number of threat surfaces, or points of vulnerability, that increases when you move to a cloud environment. If you think that many cloud providers offer multi-tenant environments where 2, 20 or 200 different companies share a physical server or virtual environment, you can imagine how many more points of access a hacker has into your data. In a network environment the points of access are constrained, if not fully controlled. In a cloud, you have to trust what your cloud service provider is saying, and the weakest link in the chain may indeed be one of the other tenants sharing the same cloud that you are.
The data in the cloud is a huge target because of data aggregation. The data server usually doesn't host just one company's data, but many companies. The amount of data hanging out in these servers can be mammoth, an absolute treasure trove to a cybercriminal. Or as Canellos pointed out to me, individual companies might not be of much interest to a hacker, but that attitude changes when data co-mingles in the cloud.
Canellos' comments emphasize one of the biggest points of contention that I've witnessed as I write about IT security issues: Who is responsible for the security that resides in the cloud? Is it the cloud host? Is it the company storing its data in the cloud? Is it a combination of both? I think his comments make a good argument for security lying most heavily on the cloud provider. Why? Because moving to the cloud is a lot like moving to a new neighborhood. The house might be perfect and the overall neighborhood is lovely, but, in the end, you can't choose your neighbors or dictate how they'll behave. Someone has to be responsible for the security of the neighborhood as a whole, so to speak.
Later this week, I'll continue my conversation with Canellos to discuss the security steps companies should consider before, during and after migrating into the cloud.