Cloud addiction: At what point does the elastic snap?
Richard Moulds, VP of strategy, Thales e-Security
Love it or loathe it – the cloud has grown from a small pond frequented only by the most daring of creatures into a vast, bottomless ocean teaming with life. The appeal is clear: In-house IT is expensive and often difficult to manage. Cloud providers promise access to cheap computing hardware, storage and applications on a ‘pay as required' basis that is scalable, flexible and – best of all – accessible anytime, anywhere – a truly elastic resource. It is therefore hardly surprising that organizations are getting increasingly drawn to the potential of the cloud and some are becoming addicted to the benefits it provides. That only becomes a problem when security concerns and risk become so prominent that what once seemed elastic now threatens to snap, bringing with it severe consequences.
According to a recent report on encryption in the cloud, 53 percent of organizations currently transfer or plan to transfer sensitive or confidential data to the cloud. Worryingly though, more than twice as many respondents say use of the cloud has decreased their security posture (35 percent) rather than increased it (15 percent). These findings show that businesses are pushing the boundaries and taking ever greater risks even though they are aware of the potential dangers – and the dangers are manifold. The more you virtualize, the less control you have over where your data is, who controls it, who has access to it and what measures are in place to protect it. As with every addiction, the dangers increase the higher up the chain you go – and in the case of data, the higher the sensitivity the bigger the impact of something going wrong.
Sensitive data is never easy to manage for an organization. Managing secrets is always more costly, complex and time consuming than managing data that requires less protection. It's that prospect of saving money that often creates the ‘buzz' of adopting cloud services and that buzz gets stronger the more you can save – and this can become the root of the problem, the source of the addiction. So where do you draw the line?
With security related issues there is almost never a ‘one size fits all' solution – and this certainly applies to the cloud. Instead, the key to staying afloat is to assess the sensitivity of the numerous types of data within an individual business. The result is a data sensitivity pyramid formed of distinct tiers of sensitivity, defining classes of data to which specific and appropriate security measures can be applied. Unsurprisingly, the vast majority – let's say it's 80 percent of all business data – is relatively uninteresting to external parties and therefore unlikely to be much of a risk, even if exposed in the cloud. That's the base of our pyramid.
Of the remaining 20 percent, a certain proportion will be at the very top of the pyramid and will be truly mission critical – the crown jewels that obviously need to be protected and will probably never go to the cloud – but the rest of the 20 percent is where it gets interesting. This is the slippery slope, data that might inadvertently go to the cloud or fall under the grip of the cloud addiction: "The last bit of data we sent to the cloud seems safe enough, so let's move up the sensitivity pyramid and save even more money.”
At some point someone has to say stop. The question is who and when? To make matters worse, data classification, or the layers in the pyramid, is in a constant state of flux as data and privacy regulations keep changing, security threats come and go and cloud security matures. As such, the higher levels of the pyramid have to be carefully and continuously assessed and reassessed to ensure data is only moved into the cloud if the appropriate security measures are in place. This, of course, is not new. Governments and national defense agencies have classified their data for decades.
Classification is a good thing to do, but it doesn't stop the craving and that's where technologies like encryption can play a valuable role. They enable organizations to transfer data at higher sensitivity levels to the cloud safely, yielding the cost saving without significantly increasing risk. Encryption can be thought of as flattening the pyramid: By making data unreadable, it can desensitize high-level assets so that it can be treated like low-level data. In practice it's never quite that simple, with different deployment scenarios involving how encryption keys are managed and where exactly encryption, and more importantly decryption, is performed.
Used correctly, encryption can help your cloud-computing strategy move up the data sensitivity pyramid – but you still have to know your limits. Just as with any addiction there is a point of no return: If data is lost or stolen, it could threaten the very foundations of your business. Only you can draw up your data sensitivity pyramid. And only you can set your boundaries.