No. 1: Accountability and Data Ownership in the Cloud
Welcome to the first of five posts addressing the security of your data in the cloud by Perspective Risk’s cyber risk specialist Sasha Raljic.
The beginning of March saw Amazon’s Web Services in meltdown. In simple terms, this meant its business customers – circa 350,000 organisations – were stymied. Websites, back-end storage, apps and Internet of Things gadgets relying on the platform were summarily knocked offline for five hours.
Inevitably, the incident spawned countless memes, gifs and anecdotes of consumers losing control of their lights, heating settings and other IoT devices.
AWS customers were unlikely to have appreciated the funny side however, nor indeed the growing number of organisations reliant on other cloud service providers to function. The gravity of the situation, and how similar incidents might play out in the future, probably wasn’t lost on them.
The reality is that many businesses depend heavily on third party servers – the cloud – without considering the implications or indeed back up options when things fail. We’ll address back up options in a future blog.
While the Amazon outage and its consequences demonstrate our need for cloud services, the recent issues are not unique to the behemoth. In fairness, Amazon’s cloud up-time is considerably higher than any individual organisation could achieve.
Some positives did result from the outage. We’ve learned, for example, that Amazon’s Echo Light Ring can be used to query system status (more reliable than AWS dashboard) or for illuminating your room and replacing your smart bulbs – hidden features Amazon never disclosed.
Top Five Cloud Vulnerabilities
The top five cloud vulnerabilities – as verified by OWASP (The Open Web Application Security Project) are:
- Accountability and Data Ownership
- User Identity Federation
- Regulatory Compliance
- Business Continuity and Resiliency
- User Privacy and Secondary Usage of Data
Over the coming weeks, we will tackle them one at a time and describe in detail each vulnerability or misconfiguration alongside the impact it can have on the many people who rely on cloud services.
No. 1 Accountability and Data Ownership in the Cloud
Traditionally, an organisation would upload and store data in a location, usually a data centre, owned and managed by a hosting provider. This gave the organisation control of its data, allowing it to maintain responsibility for its confidentiality, integrity and availability. The downside of this approach is that it tends to be expensive. Consequently, organisations looked for an alternative to reduce their overheads and costs. Cue cloud storage, which challenged the convention.
The type of data stored on cloud services determines the overall risk posed to an organisation, and indeed its customers, service users, patients or employees. In the event of a compromise, data that includes public images, blogs or social media entries would not pose a significant risk. Conversely, personal data e.g. medical records, payment information and credit history introduces a significant risk. In other words, the risk is directly proportional to data sensitivity, as obvious as that may be.
In the cloud, the cloud provider controls the data. Furthermore, some cloud providers reside in multiple countries, introducing additional complexities as different countries have different laws and standards for data storing and processing.
If the cloud provider employs a multi-tenancy approach, checks should be conducted to ensure that one organisation cannot access data owned by another. It’s important to remember that organisations cannot abdicate responsibility for their personally identifiable or sensitive data to a cloud provider. Ensuring the data is sufficiently protected remains the duty of the organisation. Other issues may arise when government organisations request access to consumer information, especially when the data is created in one country but stored in another.
Want to check how good your organisation’s security is? Click here.
How to Mitigate the Risks of Accountability and Data Ownership in the Cloud
To alleviate some of these some of these issues and avoid a potential legal quagmire, cloud consumers should note or seek to understand the following:
- Data classification should be dealt with appropriately. Documents with sensitive marking should be managed differently to non-official documents.
- Be aware that the authorities/government organisations may seize your data. Cloud providers should make their customers aware of this and notify them in advance of any changes. In a US murder case, Amazon refused to allow law enforcement access to a suspect’s Echo recordings on the grounds of data privacy.
- The provider will, by default, deny third party access to an organisation’s data. It’s down to the organisation itself to grant access to third parties.
- How will the data be secured in the cloud? Will the provider notify customers in the event of a breach, and if so, how quickly?
- Know the geographical location of data storage. If the data is outside the EU, a safe harbouring agreement should exist in that country.
- Ensure that data is encrypted, both at rest and in transit. This will ensure confidentiality and integrity.
- If a multi-tenancy approach is in place, the cloud provider must ensure that the data is sufficiently isolated to prevent unauthorised access, modification or deletion.
- Check that the cloud provider does not use the same encryption key for multiple consumers.
- When a private citizen, via the organisation, requests data deletion, it should be done in a secure way which does not render retrieval of the data.
The above are broad recommended guidelines; individual organisations may have specific requirements which should be discussed with their cloud provider.
Perspective Risk’s experts offer advice and consultancy across the cyber security spectrum. Do please feel free to contact us for support.