Infrastructure versus Information Cyber Security in the Cloud
Cloud adoption continues to be a strategic initiative for most organizations. In fact, Gartner Research estimates that by 2025, 99% of all files will be stored in cloud environments. At the same time, most organizations continue to view security as the biggest challenge for cloud adoption. New privacy and regulatory compliance issues, along with corporate governance and compliance of cloud services are the top concerns of more than 60% of enterprises. In this article, we’ll dig into what “cyber security” really means when it comes to cloud and why it’s increasingly important for CIOs and CISOs to think about security from two separate but connected angles: infrastructure security and information security.
Cyber Security in the Cloud - 101:
What is infrastructure security?
At its simplest, infrastructure security is comprised of hardware and software tools that protect data and your network (whether it be a cloud network or an on-premises network). It’s used to manage and restrict access to networks, applications (such as email), storage resources, data, firewalls, antivirus, intrusion prevention systems, and VPNs, etc.
What is information security?
On the other hand, the main principle behind information security (also referred to as “InfoSec”) is the safe utilization, flow, and storage of information. InfoSec focuses on information confidentiality, integrity, availability, and productivity.
I’ve run across many definitions of information security over the years; however, both the National Institute of Standards and Technology (NIST) and the National Information Assurance (IA) define information security as "the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability." We believe this definition is succinct and encompasses the security concerns voiced by most CIOs looking to move to the cloud.
How do data privacy regulations drive cloud security requirements?
The introduction of the General Data Protection Regulation (GDPR) by the European Parliament in 2016 and the California Consumer Protection Act (CCPA) on January 1, 2020, with their stricter enforcement protocols and threats of huge fines have focused organizations around the world on the need to quickly recognize and respond to security breaches in ways they perhaps didn’t have to previously: not only do they need to know that a breach has occurred, they now need to understand in detail what data was - or could have been accessed. This need is driven by the breach notification requirements in the new privacy laws. For example, the GDPR says you must inform those data-subjects that could have had personal information accessed, directly and without undue delay. In other words, the individual notification should take place as soon as possible. This lack of a specific notification timeframe opens up the risk of lawsuits based on individual attorney interpretation of what the term “without undue delay” actually means. Will the expectation be days, weeks, or months? In reality, depending on the specific geographic authorities in the EU, it could be all of them.
This new regulatory requirement – the need to know precisely what data has been accessed during a breach - has become a defining risk for all organizations collecting personal information on EU or California citizens. Regardless of whether the data is stored on-premises or in the cloud, the current and yet to be released privacy laws are changing how CIOs think about data security and risk mitigation.
In a 2019 survey on technology and data privacy conducted by Propeller, 96% of respondents said a company’s data protection policy is extremely important to consider before doing business with that organization. 72% of respondents said they would not choose a company that doesn’t meet the CCPA data policy regulations, and only 4.5% said they do not consider data policy when choosing a company.
According to a recent Ovum survey entitled ‘Data privacy laws: Cutting the red tape,’ a whopping 52% of respondents think that new data protection regulations will result in fines for their company, while two-thirds expect it to force changes in their strategy in Europe. And when asked about investing in greater data protection capabilities, 55% plan on new training for employees and 53% will prepare by adopting new technologies.Global Intelligence for the CIO – EU data privacy reboot: A burden or a big break for CIOs?
Over the last two years, I have spoken with many CIOs and CISOs about their digital transformation strategies and cloud security in general. They all worry about the lack of control of security in SaaS clouds. SaaS clouds generally employ a “one size fits all” platform design that dramatically limits individual customer security customization opportunities. This issue leaves their compliance fate in the hands of the SaaS providers, a position that many are not comfortable with. Additionally, because you will not know when a breach has occurred until the SaaS vendor notifies you, you could be in breach notification non-compliance without even knowing it.
Infrastructure security and information security in the cloud
Cloud platforms can differ dramatically from vendor to vendor in their offered use cases, feature/functionality, security capabilities, and vendor reputations. For example, the big three public cloud platform providers, Amazon AWS, Microsoft Azure, and Google Cloud, all provide the infrastructure and tools for other companies to build specialized applications for the archiving and management of information. With one exception, software companies have developed cloud archiving solutions that are delivered as Software as a Service (SaaS) solutions. Every customer accesses the same (one size fits all), single-use case, managed archiving services.
There are benefits to SaaS-based archiving platforms: the first is the potential reduction in IT costs and the second is the apparent simplicity of a “set-it and forget-it” solution. However, simplicity comes at a price and with risks that may be too great for many organizations. SaaS-based archiving platforms are fully managed by the solution provider meaning the client has zero say in the platform’s infrastructure security or information security.
As the new privacy regulations have come into effect, many organizations are now rethinking their current SaaS solutions. Many CTOs and CISOs, as well as CROs (Chief Regulatory Officers), are now hesitant to fully rely on SaaS platform vendors offering a “lowest common denominator” service and instead are searching for cloud platforms where they have more control over security - not to mention the application itself.
Why PaaS (not SaaS) provides better control over cloud security
Platform as a Service (PaaS) environments, such as the PaaS platform offered by the Microsoft Azure Cloud, allows organizations to directly address not only the infrastructure security requirements of data retention and privacy, but also the information security requirements. And to do so based on their organization’s specific needs.
I mentioned earlier that there is one exception to the SaaS-based archiving solutions. Archive2Azure, an open standards PaaS-based information management and archiving platform. One of the core differences between Archive2Azure and SaaS-based solutions is that it is installed in your organization’s dedicated (and isolated) Azure tenancy. Unlike SaaS-based archives, it’s not installed in a third-party’s multi-tenant public cloud. With a SaaS-based solution, you are dependent on (and at the mercy of) the vendor’s security protocols. With a PaaS-based solution, such as Archive2Azure, you have the ability to apply your customized security protocols and policies, including firewall, network, and access configurations. You can also run your own specific penetration testing, security scans, and transparent security audits and monitoring. None of this is possible with a SaaS-based solution.
For more information read our new Technical Guide: PaaS versus SaaS Archives - What You Need to Know
Additionally, because Archive2Azure is installed and managed in your organization’s Azure tenancy (versus a multi-tenant environment in a public cloud), you can implement and audit vital information security requirements. Specifically, you own, control and manage encryption and encryption keys, ensuring the granular levels of access controls needed for your sensitive data.
Today, ensuring information security in the cloud comes down to one simple fact; you must encrypt your sensitive data before moving it to the cloud. Many of the new privacy regulations state that if a system was breached and encrypted data was potentially accessed (and the encryption keys were not accessed), then an organization’s notification requirements do not need to be met (one of the largest expenses in a breach). Deciding that all data will be encrypted locally, before moving your data to the cloud, is the single biggest process a company can adopt for information security.
Archive2Azure takes these cloud security capabilities one step further and offers the automatic detection of sensitive information (such as social security numbers, bank account numbers, bio-metric data, etc.) with immediate metadata hashing and encryption or anonymization, either within your Azure tenancy or on-site - before the sensitive data is moved to the cloud.
Cloud security starts with system and data isolation and transparency. Archive2Azure was designed with these security requirements in mind. Contact us to find out how Archive360 can help put your mind at ease around information security in the Azure Cloud.
For Further Reading:
About Bill Tolson
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.