Securing the 'Cloud' at all costs

When the United States federal government adopted its “Cloud-First” approach to IT spending, governments around the world took notice.  That was two years ago and in the interim the US government has saved $5.5 billion (USD) by moving significant portions of government IT infrastructure into the cloud.  Current projections suggest that if “Cloud-First” becomes even more widespread, the equivalent of NASA's annual budget ($12 billion USD) will be saved.  Presumably governments are paying even closer attention now.

But are they paying attention to the wrong thing?  Clearly, cloud migration is happening across government and the private sector at an extraordinary pace. This will continue as bottom line thinking eclipses other issues which are more difficult to quantify.  

After all, the cloud seems to combine ease of access and data security with low, ongoing-costs.  There is also something very appealing to the cloud's “out of sight/out of mind” quality.  But while cloud may very well be that disruptive technology that brings permanent economy-of-scale changes to the way we store and access our data, any organisation that is serious about security must take a step back, consider several issues and build an approach as it contemplates existing or potential cloud deployments.   

The first issue is data sovereignty.  It might seem obvious, but if your data is housed in another country it has effectively become a resident of that country, subject to its laws (or lack of legal rigour).

Former head of the US Department of Homeland Security, Michael Chertoff, has made a vivid case for why government data at all levels should be on-shore.  Chertoff argued that the sum total of work-a-day data like email, calendars combined with the vast scope of citizen information (driver's licenses, birth/death records, and even real estate information) ultimately touches on every aspect of a nation's “life.”  

In other words, even if some data might not seem “critical” for national defence, it matters. Chertoff's position was further strengthened by his experience wrangling for access to European traveller information. The US wanted the information under the Patriot Act, but the European Union refused to hand it over because to do so would violate EU privacy rules – data sovereignty (or where this data was being held) made it extremely hard for the US to get what it saw as vital information for its safety. If the EU data had been held in the US to begin with, US law would have given the US access and there would have been no wrangling at all.  

Ironically, it is US law, specifically The Patriot Act and the Digital Millennium Copyright Act (DMCA) that makes data sovereignty an especially critical issue for Australian organisations. For example, under the Patriot Act, your data might be housed in Australia but if the company that houses it is connected to the US (e.g., a multi-national), the provider may be compelled to provide access to your data and be prohibited from informing you of this access.  In other words, you'll probably never know.  

DMCA has been popularised by the recent Megaupload case that saw many legitimate users of a cloud service see their data deleted, lost forever, when the entire site was shut down.   The issue here is that the push to the Cloud might mean that some data might be finding its way onto sites like Dropbox and YouSendIt where it could end up being vulnerable to a similar shutdown and deletion.  It's worth noting that prior to Megaupload's shut down, the service was being used even more heavily on corporate networks than Dropbox or YouSendIt.

But even if you are on-shoring with a provider that won't be subject to any data sovereignty issues, there are several other boxes you need to check for cyber security. 

Ask these questions:  Where is your data actually housed?  Can you visit the site if you want?  Can you meet the people managing the facility?  Will you have the ability to reach senior engineers in your time zone when you need to?  Data in the Cloud lives somewhere and your data is only going to be as secure as the weakest point in the defence.  Another advantage of on-shoring is that you can benefit from rigorous Australian security certifications like DSD HP, ASIO T4 and PCI DSS. 

Ultimately, though, cyber defence comes down to practicing cyber “offence”. I frequently see detection and response overlooked by government agencies in favour of only protection.  Unfortunately, defence is not enough.  To be secure, an organisation must have an agile detection and response approach in place that identifies and responds to intrusions in real-time.  Very few, if any, cloud deployments offer this kind of rigour today, but they should.       

There is no question that the cloud has the potential to save our government money, but keeping our data secure while saving money is going to require eternal vigilance or else the money saved won't be worth the cost.  

Carlo Minassian is the founder and CEO of earthwave.