Welcome!

@CloudExpo Authors: Carmen Gonzalez, Janakiram MSV, Liz McMillan, Pat Romanski, Elizabeth White

Related Topics: @CloudExpo, Microservices Expo, Containers Expo Blog, Cloud Security

@CloudExpo: Blog Feed Post

Securing Your ‘Data at Rest’ in the Cloud

Threat vectors in private, hybrid and public clouds

We’re all hungry for best practices and tips for securing data in the cloud and also how shared computer resources can and should work to ensure privacy and protection. The focus is on data security, especially data at rest.

Cloud computing is all about increased scalability and productivity. However, new cloud security threats such as “snapshotting” a virtual disk are emerging. These create new threats to private data, compared to when data was stored and secured between the four walls of a datacenter.

With cloud computing, multiple customers may share a single physical disk, although logically separated from each other. In theory, one can share the same physical disk with a competitor – without data crossing over. The same is true for physical servers. Equally, within a single cloud account, different projects may be sharing the same physical disks or physical servers. This virtualized approach is at the heart of cloud computing; it provides many of its benefits.

Best practices for such logical separation do exist and are well implemented by the best cloud providers. While essential, they do require the cloud user – the customer – to take some responsibility for securing data. To understand why, consider some of the threat vectors that do remain, even when logical separation is done right.

Threat vectors in private, hybrid and public clouds
Cloud technology is very powerful. It allows legitimate cloud customers to manage all of their disks and servers through a browser; for example it allows customers to easily copy or “snapshot” their disks, with a single cloud command. But consider a hacker who has obtained web access to a cloud account by stealing the Web User Interface (WUI) credentials or exposing a web vulnerability. That hacker can now also “snapshot” the disks.

Threat vectors can also exist because cloud accounts may contain multiple projects. This is a subtle point, because it applies to private clouds as well as public clouds.

People sometimes have pat answers for difficult questions; the “private vs. public” cloud debate is such a case. Some people claim private clouds answer all security questions. Private clouds are good, but the claim is exaggerated. This specific threat vector is an example. So here is how it goes.

You are a responsible professional and have properly secured your project in your company’s cloud account (whether public or private). However, your colleague at a different division has also set up a project, and – unfortunately – his virtual servers have a vulnerability. A hacker gains access to those servers and now that hacker is in your company’s cloud account. Depending on the exact details of the exploit, the damage to your project’s data security could be small or large. Obviously, this can happen even in a private cloud.

People often like to talk of the “insider” threat. Malicious insiders are rare – the insider threat is perhaps overplayed – but they are a painful possibility and these cases can cause huge damage when they do occur. Insiders can be at your own company or at the cloud provider. Just as with hackers, malicious insiders could misuse account credentials to access and misuse your data, or exploit their existing projects within your shared environment for malicious ends.

So what is an IT administrator going to do to secure data stored in the cloud?

The practicalities of trust and control for data in the cloud
One way to think of the cloud is as a great environment for outsourcing. Even private clouds mean that you are outsourcing your computing environment to some IT group inside your company, and public clouds are an obvious outsourcing situation.

Like any outsourcing situation, you want to outsource the hassle but keep the control. This is basically the attitude to take when going to the cloud.

It is important to remember that keeping control must happen at the project level – your project must be under your control. Segregating projects and defining how each project is protected independently of other projects is a good way to avoid many threat vectors.

Some of the rules for enforcing data security in the cloud are true in any data center scenario, not necessarily virtualized; and some are new or at least have a new emphasis.

Make sure your cloud, your software and your security tools allow you to enforce these general rules.

Define who has administrative access to the project.These are the people with the power to make big sweeping changes. Make sure it’s not just one person; what if that person is on vacation? But it must not be many people, and each person should have clear rules on what he or she can do.

Define who has user-level access to the project. Users may have access to data that administrators may not see. In fact, that is best practice. Make sure you manage your users and their rights to data.

Define fine-grained network controls. Make sure you can segregate your projects using networking techniques such as sub-nets and firewalls.

Define fine-grained authorization and authentication. Users and administrators should have clear identities, so you can control access to the resources they need; it should be possible to define fine-grained permissions for these identities. Some projects may require defining permissions for disk access, others for files, and still others for tables, rows or columns in a database.

Encrypt all sensitive data. Data in the cloud must be encrypted for security. There is simply no way to deal with the threat vectors mentioned above if data is not encrypted. This is an accepted fact by cloud data security experts.

Manage encryption keys carefully; otherwise, achieving confidentiality can prove difficult in the cloud. This is actually a major gotcha in cloud data security. The essential point is that encryption keys are the key to the kingdom, and you cannot trust anyone with your encryption keys.

It is obvious that you should not save your encryption keys in “plain”, on a disk in the cloud. But more than that, if you desire confidentiality, you cannot give your encryption keys to your cloud provider. The best providers will themselves tell you this, in a frank and helpful way – so ask them.

When it comes to encryption and encryption keys, you cannot trust anyone. There are several offers on the market that will try to tell you that you can trust them with your keys, so be aware.

There are several other offers on the market which do key management responsibly and well, but only by taking all of your encryption keys back to your physical data center. That kind of interferes with your goal of doing a cloud project.

Keeping trust and control while outsourcing complexity
While securing data at rest in cloud projects is entirely possible, it’s also a lot of work. Ideally, you’d like a solution which packages all this complexity.

The technological breakthroughs that enable pure cloud key management are split-key encryption and homomorphic key encryption. They provide the only way, currently on the market, to maintain complete confidentiality of data while staying 100 percent in the cloud.

This makes a large variety of projects possible and secure, including everything from disaster recovery and cloud bursting to pure cloud solutions. These types of encryption also maintain standards such as HIPAA, PCI DSS, SOX and SOC2.

But you need more than technology. Vendors need to be integrated with leading clouds and operating systems. This way, you can leverage valuable tools appropriate for the cloud of your choice, such as firewalls, virtual private networks, security groups and roles, authentication and authorization – together with your encryption and key management solution. A full solution is truly possible.

Securing a variety of data storage technologies
When it comes to data storage in the cloud, there is a wide range of options customers can choose from. These range from “plain” virtual disks, file systems (for Windows, Linux and UNIX), relational databases (Oracle, MySQL, MS SQL, IBM DB2 and others) and new and unique cloud options such as distributed storage (e.g. Simple Storage Service) or “NoSQL” databases (e.g. MongoDB). Furthermore, when it comes to databases, there is a choice to be made between fully encrypting the entire database, or encrypting at the finer granular level – at the table, row or column level, for example.

Such wide-ranging support requires “plugging in” to the cloud operating system at a very deep level, where the solution is transparent and fits well with most anything using the cloud environment. It also requires a cloud-enabled Application Programming Interface (API). A convenient User Interface doesn’t hurt either.

Gilad Parann-Nissany is the founder and CEO of Porticor (Ramat Hasharon, Israel). www.porticor.com

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

@CloudExpo Stories
The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...
SYS-CON Events announced today that Twistlock, the leading provider of cloud container security solutions, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Twistlock is the industry's first enterprise security suite for container security. Twistlock's technology addresses risks on the host and within the application of the container, enabling enterprises to consistently enforce security policies, monitor...
Automation is enabling enterprises to design, deploy, and manage more complex, hybrid cloud environments. Yet the people who manage these environments must be trained in and understanding these environments better than ever before. A new era of analytics and cognitive computing is adding intelligence, but also more complexity, to these cloud environments. How smart is your cloud? How smart should it be? In this power panel at 20th Cloud Expo, moderated by Conference Chair Roger Strukhoff, pane...
Blockchain is a shared, secure record of exchange that establishes trust, accountability and transparency across supply chain networks. Supported by the Linux Foundation's open source, open-standards based Hyperledger Project, Blockchain has the potential to improve regulatory compliance, reduce cost and time for product recall as well as advance trade. Are you curious about Blockchain and how it can provide you with new opportunities for innovation and growth? In her session at 20th Cloud Exp...
@ThingsExpo has been named the Most Influential ‘Smart Cities - IIoT' Account and @BigDataExpo has been named fourteenth by Right Relevance (RR), which provides curated information and intelligence on approximately 50,000 topics. In addition, Right Relevance provides an Insights offering that combines the above Topics and Influencers information with real time conversations to provide actionable intelligence with visualizations to enable decision making. The Insights service is applicable to eve...
SYS-CON Events announced today that Grape Up will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company specializing in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market across the U.S. and Europe, Grape Up works with a variety of customers from emergi...
SYS-CON Events announced today that Hitachi, the leading provider the Internet of Things and Digital Transformation, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Hitachi Data Systems, a wholly owned subsidiary of Hitachi, Ltd., offers an integrated portfolio of services and solutions that enable digital transformation through enhanced data management, governance, mobility and analytics. We help globa...
SYS-CON Events announced today that Juniper Networks (NYSE: JNPR), an industry leader in automated, scalable and secure networks, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Juniper Networks challenges the status quo with products, solutions and services that transform the economics of networking. The company co-innovates with customers and partners to deliver automated, scalable and secure network...
SYS-CON Events announced today that CA Technologies has been named "Platinum Sponsor" of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, New York, and 21st International Cloud Expo, which will take place in November in Silicon Valley, California.
Developers want to create better apps faster. Static clouds are giving way to scalable systems, with dynamic resource allocation and application monitoring. You won't hear that chant from users on any picket line, but helping developers to create better apps faster is the mission of Lee Atchison, principal cloud architect and advocate at New Relic Inc., based in San Francisco. His singular job is to understand and drive the industry in the areas of cloud architecture, microservices, scalability ...
Back in February of 2017, Andrew Clay Schafer of Pivotal tweeted the following: “seriously tho, the whole software industry is stuck on deployment when we desperately need architecture and telemetry.” Intrigue in a 140 characters. For me, I hear Andrew saying, “we’re jumping to step 5 before we’ve successfully completed steps 1-4.”
@DevOpsSummit has been named the ‘Top DevOps Influencer' by iTrend. iTred processes millions of conversations, tweets, interactions, news articles, press releases, blog posts - and extract meaning form them and analyzes mobile and desktop software platforms used to communicate, various metadata (such as geo location), and automation tools. In overall placement, @DevOpsSummit ranked as the number one ‘DevOps Influencer' followed by @CloudExpo at third, and @MicroservicesE at 24th.
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
As pervasive as cloud technology is -- and as persuasive as the arguments are for using it -- the cloud has its limits. Some companies will always have security concerns about storing data in the cloud and certain high-transaction applications will always be better suited for on-premises storage. Those statements were among the bottom-line takeaways delivered at Cloud Expo this week, a three day, bi-annual event focused on cloud technologies, adoption and associated challenges.
Multiple data types are pouring into IoT deployments. Data is coming in small packages as well as enormous files and data streams of many sizes. Widespread use of mobile devices adds to the total. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will look at the tools and environments that are being put to use in IoT deployments, as well as the team skills a modern enterprise IT shop needs to keep things running, get a handle on all this data, and deli...
Quickly find the root cause of complex database problems slowing down your applications. Up to 88% of all application performance issues are related to the database. DPA’s unique response time analysis shows you exactly what needs fixing - in four clicks or less. Optimize performance anywhere. Database Performance Analyzer monitors on-premises, on VMware®, and in the Cloud, including Amazon® AWS and Azure™ virtual machines.
20th Cloud Expo, taking place June 6-8, 2017, at the Javits Center in New York City, NY, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy.
SYS-CON Events announced today that Super Micro Computer, Inc., a global leader in compute, storage and networking technologies, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Supermicro (NASDAQ: SMCI), the leading innovator in high-performance, high-efficiency server technology, is a premier provider of advanced server Building Block Solutions® for Data Center, Cloud Computing, Enterprise IT, Hadoop/...
Amazon has gradually rolled out parts of its IoT offerings in the last year, but these are just the tip of the iceberg. In addition to optimizing their back-end AWS offerings, Amazon is laying the ground work to be a major force in IoT – especially in the connected home and office. Amazon is extending its reach by building on its dominant Cloud IoT platform, its Dash Button strategy, recently announced Replenishment Services, the Echo/Alexa voice recognition control platform, the 6-7 strategic...
Bert Loomis was a visionary. This general session will highlight how Bert Loomis and people like him inspire us to build great things with small inventions. In their general session at 19th Cloud Expo, Harold Hannon, Architect at IBM Bluemix, and Michael O'Neill, Strategic Business Development at Nvidia, discussed the accelerating pace of AI development and how IBM Cloud and NVIDIA are partnering to bring AI capabilities to "every day," on-demand. They also reviewed two "free infrastructure" pr...