On June 12, 2017, security researchers discovered that the personal information of nearly 200 million American voters was left exposed to the Internet due to misconfigured cloud storage. The data, which included names, addresses, phone numbers, birthdates, party affiliation and other details, had been compiled by a firm called Deep Root Analytics on behalf of the Republican National Committee (RNC). More than 1.1 terabytes of sensitive data could be downloaded by anyone.
This massive data leak serves as a cautionary tale to organizations moving to the cloud. Cloud services are often more secure than the typical data center due to the service provider’s investments and skilled personnel. However, the cloud operates on a shared responsibility model. The service provider is responsible for the security of the cloud — the compute, storage and networking infrastructure within the cloud data center. The customer is responsible for the security of what’s in the cloud — that is, the data itself.
Responsibility for the environment between those two extremes depends upon the cloud model. With Software-as-a-Service (SaaS), the customer shares responsibility for endpoint security and identity and access management; everything else is controlled by the service provider. With Platform-as-a-Service (PaaS), the customer is responsible for endpoint security, sharing responsibility for application security and identity and access management. With Infrastructure-as-a-Service (IaaS), the customer is responsible for the operating system, network and firewall configurations, development platforms, application security, identity management and access controls, and data encryption.
However, many organizations wrongly assume that they are transferring security responsibilities to the service provider when they move to the cloud. In a recent survey conducted by Vanson Bourne, 71 percent of respondents said they believe that public cloud service providers are responsible for securing their customers’ data. Another 66 percent said the service provider is responsible for securing applications, and 63 percent believe the service provider is responsible for securing operating systems. Overall, 52 percent of survey respondents felt confident that their move to the cloud was secure.
Clearly, organizations need to reframe their mindsets and ensure that they understand their responsibilities when moving applications and data to the cloud. Organizations must establish processes for protecting their corporate assets, and choose cloud services with appropriate levels of security controls.
Ask the service provider about:
The RNC data leak serves as a stark reminder that the cloud is only as secure as you make it. The shared responsibility model of the cloud means that organizations must take steps to protect their cloud-based applications and data, and effectively address security measures when selecting cloud service providers.
- Backup policies and procedures. Ensure that the backup processes and capabilities meet your business requirements for data protection.
- Data encryption. The service provider should provide mechanisms for encrypting sensitive data at rest and in-flight across the network.
- Regulatory compliance. Confirm that the service provider’s security controls and capabilities adhere to any applicable regulations.
- Physical location of data. Some regulations require that data be maintained within the U.S., or proscribe cross-border transfer of data.
- Data breach notification. The service provider should give written notification of a security breach within a specified time frame.
- Process for return of data upon termination of the cloud services contract. The agreement should state that you maintain ownership of and access to your data at all times, and specify procedures for return of the data in an appropriate format.