With cloud usage growing exponentially, are we asking enough questions about cloud security for organizations to make informed risk management decisions?
More than 80% of organizations store their information in the public cloud, according to Rightscale’s 2018 State of the Cloud Report,1 begging the question of cloud security. The cloud promises availability, simplified management and cost savings—yet the cloud is not threat proof and opens new attack vectors. What is compelling about the cloud is also its weakness: Its openness makes it vulnerable. For example, if the host hardware or operating system are compromised, all data hosted can also be exploited via a process called hyperjacking. The latest findings from McAfee indicate that 26% of organizations have suffered cloud data theft.2
Should You Entrust Your Private Keys in the Cloud?
Organizations need to proceed with caution about what they store. The way cloud storage systems typically work is using encryption keys to encode data. Most services keep the keys, accessing the data whenever a user logs in. However, some cloud services might have security flaws, leaving users’ keys and their data vulnerable. An example of this in the past is when the Open Secure Sockets Layer (OpenSSL) Heartbleed exploit was discovered. When relying on cloud providers, mitigation and protection against exploits like this are often out of the organization’s hands. The organization is merely consuming a service from the cloud provider with little to no visibility of the underlying protections and potential risk.
Should organizations entrust their private keys in the cloud? Storing private keys and identities in the cloud is dangerous. For public key infrastructure (PKI), the security of private keys is critical. Anyone who obtains a private key could impersonate the rightful owner and compromise information, potentially resulting in a tsunami of damage. The keys can be stolen or misappropriated, and there is no proven law that shields organizations from disclosure. It is best to consider the cloud as a storage repository and maintain control of the encryption keys on-premises until established practices and the law can protect those keys. While there are a few cloud providers that offer storage and protection of keys, organizations should carefully consider whether their data are safe if both the encrypted information and the keys are stored in the same location. Key management principles often place the keys in separate containers, locations or facilities and the encrypted information in another.
It is best to consider the cloud as a storage repository and maintain control of the encryption keys on-premises until established practices and the law can protect those keys.
Separating keys and data offers another form of protection. While an organization may not be subject to warrants and seizure of information, its data and keys could inadvertently be mixed up with another organization that stores data and keys in the same cloud container. There is little case law that indicates the responsibility of cloud providers to notify an organization if its data are part of that subpoena.
Storing encryption and identities on-premises and leveraging the cloud providers to store, process and maintain data provides an air-gap between the keys and the data. If the cloud provider accidently exposed the data, they would still remain secure and protected as long as the keys are firmly in the organization’s protection.
A clear and strong identity management process and plan is critical in this turbulent time. As hybrid enterprise solutions evolve, including cloud and on-premises software, the need for stronger identity management and identity-as-a-service (IaaS) is a must. Weak identities undermine everything else an organization can do to protect itself. A misappropriated identity means that no firewall, access control list or virtual private network (VPN) solution will prevent someone from gaining access. Organizations should design networks to protect against unauthorized access, but they should also assume an unknown attacker is roaming the network. Encrypt and protect information everywhere on the network—Internet Protocol Security (IPSec), data at rest, whole-disk encryption, 2-factor identities all will help protect against unauthorized data disclosure.
Mark B. Cooper
Is president and founder of PKI Solutions. He has deep knowledge in all things Public Key Infrastructure (PKI) and has been known as “The PKI Guy” since his early days at Microsoft. PKI Solutions Inc. provides consulting, training and software solutions for Microsoft PKI and related technologies for enterprises around the world. Prior to founding PKI Solutions, Cooper was a senior engineer at Microsoft, where he was a PKI and identity management subject matter expert who designed, implemented and supported Active Directory Certificate Services (ADCS) environments for Microsoft’s largest customers.
Endnotes
1 Rightscale, State of the Cloud Report, USA, 2018
2 McAfee, Navigating a Cloudy Sky: Practical Guidance and the State of Cloud Security, USA, 2018