Data security issues for deploying cloud services in 2013

According to the latest threat reports, deploying cloud services in 2013 will lead to new problems for most businesses, focusing on data continuity, data security, and reliability.

Security company Sophos's 2013-year threat report warns that companies face new data security risks when deploying cloud services. Companies should address these risks during the contract negotiation phase, before the data is transferred to a large data center of the service provider. Chester Wisniewski, the security firm's senior security advisor, said that in some cases cloud services increased the attack surface of the enterprise and weakened existing security controls and policies.

"Companies should spend more time communicating with their lawyers to ensure that all of their needs are met and that all requirements are clearly set out in the contract, so that when an accident occurs, both parties know where they are responsible," Wisniewski said. He says companies need to consider three issues when deploying cloud services.

1. How to prevent information disclosure?

Services such as Dropbox enable employees to easily store and share documents containing enterprise data. Companies initially tried to "crush" third party services (such as Dropbox), but now companies are starting to accept these services while adding controls (such as encryption) to ensure that sensitive data does not fall into the wrong hands. Wisniewski says companies should deploy data protection security technologies correctly and make them easier to operate, he says. "You need to make sure that the data is secure before it reaches the cloud." ”

Wisniewski believes that cloud-based services can enhance the original "fragmented" data security approach. Organizations can deploy security controls in a variety of ways to ensure that employees can securely access data using mobile devices or remotely enter the cloud system. With an Apple ipad app that provides a layer of protection for encryption and decryption, he says: "Financial, sales, and marketing people can protect data without the high encryption technology." ”

2. In the contract requirements, is it stipulated that the cloud supplier needs to be properly examined and whether the safety standards are defined?

Targeted attackers have learned that business partners, often small businesses that serve large enterprises, are the "breach" of the network of large enterprises. Wisniewski said parts manufacturers, transporters and suppliers in the aerospace and defense industries could be exploited by attackers. "Cyber criminals have realised that the business partners of large enterprises are usually small companies, their security defenses are lax, but they are still trusted entities of large enterprises, which has become a real problem." ”

The contract should make it clear that the enterprise can check whether the third party system has been reviewed and whether it has appropriate security controls. Cloud providers should provide evidence that they meet safety standards and provide a mechanism to allow enterprises to conduct independent testing. Wisniewski said: "Some companies in the credit card leakage accident in the months before the PCI evaluation, the final results show that compliance has not been given due attention." ”

Data retention, failover, incident response, system monitoring and maintenance should be clearly stipulated in the Contract agreement to ensure that when the relationship between the enterprise and the cloud service provider changes, the enterprise has the means to remove the data and transfer to another vendor.

"If you're a little paranoid, without a consistent agreement with the vendor to protect your data according to your standards, you will need to run your own data center," Wisniewski said. "Part of the cost of using cloud computing services is that it is widely distributed and you don't know where your data will be. Some data may be under contract control, but other parts are not within your control, in many cases, someone may eject the server's hard drive to take your data. ”

3. Can you prevent snapshots of virtual servers (capturing the currently running memory image-including all running encryption keys)?

Instead of using a public cloud, many businesses use virtual machines to create private clouds within their data centers. Wisniewski says this approach is considered a good way to reduce costs and improve efficiency, but it also raises data security issues.

Experts say that while security researchers have confirmed that a highly technical management program attack is feasible, cyber criminals are less likely to use this complex attack. The problem facing the enterprise is the potential flaw within the virtual server. Configuration errors and bad policies can be exploited by attackers to gain access to sensitive data. For example, when a virtual snapshot captures the system state (a common method of backing up a system), the usual password and encryption keys are in memory because they need to be used to decrypt the file. Snapshots are time-saving and a good backup mechanism, but businesses need to securely store snapshots. "You need to keep the encryption key in memory, but you should blur the encryption key in memory," he says. ”

(Responsible editor: Lu Guang)