Cloud Security - You Have What You Bring
It should be no surprise that moving to the cloud is all the rage these days. After all, why wouldn’t people want it? You can replace hundreds of thousands or millions of dollars in hardware costs, maintenance and staffing with relatively cheap storage and virtualization fees and not worry about your back-end infrastructure. From a cost/benefit/productivity perspective, it is the greatest thing since specialization was introduced in assembly line manufacturing.
However, the decision to jump headfirst into the cloud should not be made so quickly. There is a cost, and it could be catastrophically high, if unintended parties gain access to your cloud data.
Ask any celebrity recently affected by the Apple Cloud hack. The breaches were a little too revealing and the long-term effects unknown.
To be clear, I am not saying don’t use the cloud. Personally, I like the cloud, but I am very careful what I put in there and do not having anything very sensitive there that is not protected. Moreover, my expectations of cloud security are very low. I expect that all of that data in there will one day be compromised. And why wouldn’t I? Seems like everything is compromised these days; it is just a matter of time until we hear about it.
Based on my experience, I am convinced that every company of significant size has already been breached and everyone’s identity has been stolen dozens of times over. But, then again, I am a bit jaded and pessimistic from doing computer forensic and incident response investigations for so many years.
As such, I recommend that you bake your own security into what you place in the cloud using a suitable DLP solution that contains DRM capabilities. Or, at least encrypting the data stored in the cloud using file-based encryption to prevent it from being any use to unintended parties. If the encrypted data is compromised, so what?! Have fun with that.
Additionally, please also read my blog about “Challenges of Computer Forensics in Cloud and Hosted Environments” for other contractual considerations that need to be made BEFORE signing on the dotted line with a cloud or hosted solution.