As it becomes clear that cloud computing technology is here to stay, customers and vendors alike are making moves to secure their services and make the cloud safe for even sensitive data and applications. One approach that might serve both sides well is a data-centric model in which the information itself – rather than an endpoint – is protected.
Traditional data security models focus on protecting individual devices used to access information. Computers are armed with antivirus software, a firewall protects the network and various other tools are used to guard the perimeter. While this approach is effective to a degree, it does have its flaws.
For example, if an outsider with malicious intentions manages to bypass a network’s security measures, there would be little stopping him or her from stealing valuable information.
This threat is especially prevalent with cloud computing. With information being stored on a third-party server, a business using the cloud has less direct control over its data than ever. And though cloud providers are generally able to dedicate more time and expertise to security than the average company, those resources can be used most effectively in a data-centric model.
A recent ITWorld report highlighted several of the shortcomings of cloud security. For one, many businesses fail to assess the data security measures and policies employed by cloud vendors. This can lead to several issues, including regulatory compliance concerns about the geographic location of data in the cloud and the credentials of the provider hosting the services.
Citing figures from a CompTIA report, ITWorld pointed out that half of surveyed cloud users actually assess the geolocation of a provider’s data centers, and only slightly more than half look into the regulatory compliance of the cloud vendor.
This can lead to data security issues down the line. If a business relies on a cloud service to store sensitive customer information or important corporate records, it will not be the cloud provider that feels the backlash should such data be breached. The burden ultimately falls on the shoulders of the user to ensure information is adequately protected.
A data-centric model removes much of this vulnerability. If the data itself is protected, then it will still be safe even if a cloud provider’s systems are breached and information is stolen.
A recent InformationWeek report echoed this notion, adding that encryption is the first step to building an effective data-centric security model.
According to InformationWeek’s Data Encryption: Ushering in a New Era study, “encryption is enabling the ideal of anywhere, anytime access to company data, and it’s starting to be baked in to all types of IT products.”
The study, which based results off a survey of more than 500 business technology decision-makers, found that only 33 percent of respondents have implemented encryption on the database level, and 47 percent have encrypted data stored on mobile devices.
Michael Davis, the report’s author, asserted that these figures are somewhat worrying. Though it is evident that more companies are using encryption and ushering in a more data-centric approach to security, the slow adoption rate means that many are leaving themselves vulnerable.
“Everyone knows that when the you-know-what hits the fan, it’s the self-sufficient who survive, for a while anyway,” Davis wrote. “By bringing core encryption-related capabilities in-house and being very selective about outside partners, you get closer to full control. Autonomous and selective beats dependent and vulnerable every time.”
Davis noted that data-centric security is not without its flaws. Many legacy security systems do not support encryption, and businesses often have trouble calculating a return on investment for such an approach. However, as more companies implement the cloud as a major IT resource, data-centric security must become more prevalent to ensure that data is protected no matter where it is accessed from and on what device it is viewed.
Cloud Security News from SimplySecurity.com by Trend Micro