Published on icrunchdata on 22 mar 2019

For internal use only

Cloud Journey and Data

Security Considerations

Cloud is an innovative way to manage Negotiated Contracts, Supplier

computing and storage resources.
assessment and Compliance
Reduced TCO, Agility, Data Reports are some of the tools
Localization are some of the to exercise Governance.
features that make a
compelling case for cloud A very good analogy put forth by Cloud
adoption. It also gives enterprise Security Alliance as ‘think of a shipping
flexibility to deliver solution with power to service. When you use a common
scale up and down as per economic carrier/provider you don’t get to define their
requirements and situation. operations. You put your sensitive
documents in a package and entrust them
to meet their obligations to deliver it safely,
Cloud is not only about sharing securely, and within the expected Service
resources but also a shared Level Agreement’
responsibility model. Multitenancy
is synonymous to cloud i.e. multiple Enterprise should be ready to accept that
customers (Inter as well as Intra) share the these Compliance reports may not be fully
same resource pool. Abstraction and accessible as Cloud Provider is servicing
Orchestration are the two characteristics many customers over the same platform and
that enables cloud deliver the resources in a have reservations in sharing the complete
segregated and isolated manner. report. Organization should define Risk
Tolerance based on the assets involved and
Broadly, scope of security and compliance service model agreed.
doesn’t change much with Cloud but do
introduces complexity in terms of Roles and GEOGRAPHICAL
Responsibility between cloud user and RESTRICTIONS AND DATA
provider w.r.t securing different components
of the solution. PROTECTION LAWS

It is highly possible that service models Most of these laws and guidelines were
overlap and resulting project is a developed in late 1960s and 1970s, later
combination of IaaS and PaaS. Technologies, clarified and expanded for OECD. Quite a
Tools & configuration offered by provider few countries have mandated that the
could be different at each stage and personal data or as defined in regulations
dependent on the model finalized. These should not move out from their respective
Gaps should be identified as part of geographical boundaries.
architecture design.
Cloud providers should explicitly document
GOVERNANCE AND RISK location of user, Infra location, Data
classification and any other restriction
MANAGEMENT involved. At times, these cross-location
requirements could be conflicting and

For internal use only

 difficult to manage.
Cloud Computing has a direct impact on
Governance and Risk Management, due to ‘Privacy by Design’ should be
shared resource model. To an Organization,
Cloud Provider should not be treated as one
the guiding principle for defining
any product or service.
other third party service provider as in this
case, it is not dedicated and may not be
feasible for them to fully customize their
offerings and legal agreements.

Without any restrictions and guidelines, data

may get replicated easily in multiple pockets based on Hardware security
and hence practically difficult to identify and Module (HSM), Cloud Provider
delete. Specific Virtual appliance, or
Hybrid (a combination of HSM
DATA SECURITY, ENCRYPTION + Virtual appliance) etc.
AND MIGRATIONS
Similarly, Encryption and Tokenization are
Data security depends upon location of two techniques used to manage Data-At-
Data, its classification, storage format, rest. The methods and techniques may vary
access controls applicable and encryption based on service Model, Provider and
tools & Technologies used. Most common deployment. It may be easy to adopt a
types of data storage over cloud are Object / blanket encryption policy but we should
file based, Volume, Database (Relational / understand data processing over
NoSQL) etc. encrypted data is going to
increase the Compute time.
Data
One more framework in use is
Dispersion, help breaking We discussed various options around Data
down data in small parts and encryption, but as a guideline, Cloud
storing multiple copies on different physical Application architecture should
storage. Sending data to cloud object
storage via APIs is considered relatively
be defined with threat model
reliable and cost effective as compare to as an input. We should document key
setting up a dedicated SFTP server. exposing mechanism, location of encryption
engine etc.
Architecture should also consider to include
tools to detect Data Transfer or large data One should take note of cloud provider
migration. CASB (Cloud Access capabilities as input to application
architecture and assess native security
and Security Brokers) and DLP choices offered by cloud provider, as, at
(Data Loss Prevention) tools times it may not only be better but also be
helps network monitoring, cost effective by not re-inventing the wheel.
detect large data migrations Moving to cloud should be considered as an
and some are capable of security alerting as
opportunity to define better ways to process
well.
and manage data.
Securing Data in-motion is an important
aspect attached to Cloud Computing. Few

For internal use only

 Options for encrypting in-
transit data are Client-side
encryption, Network
Encryption (TLS / SFTP), Proxy
Based encryption etc.
Design and Architecture should have
appetite to accept public data as that may
be one of the expectations from the solution.
Design should have capability to isolate and
scan the data before integrating it with the
primary data store.

Key Management is tightly

coupled with these choices and
can be implemented

References: Cloud Security Alliance’s Security Guidance for Critical Areas of Focus in Cloud Computing v4.0.

For internal use only