6 Steps to Securing Production File Data in the Cloud
Unstructured file data is the fastest-growing segment of enterprise data. And the need to store, protect, synchronize and collaborate on files globally is driving enterprises to migrate their file data to the cloud. Leveraging public or private clouds for data storage enables a host of new and valuable capabilities, but enterprises need to be aware that it also changes the risk profile for data storage. Done right, cloud storage can provide stronger data security than traditional storage, but incorporating hybrid clouds into the data path requires a different approach from on-premises security models.
To ensure the security of data stored in private and public clouds, enterprises need a robust security model that combines strong encryption and local authentication with the native capabilities of the top-tier cloud storage solutions. Here are six areas IT teams should keep top of mind to ensure their unstructured data remains secure and highly available.
Stronger Encryption
Any data protection model must begin with a strong foundation of encryption. All file data and metadata must be encrypted, both in-transit and at-rest, using Advanced Encryption Standard (AES)-256 encryption. AES is the first publicly accessible, open encryption standard approved by the U.S. National Security Agency (NSA) to safeguard sensitive government information, so it’s definitely strong enough to protect enterprise data and is ideal for symmetric encryption. Also, IT should salt keys and passwords. With salting, random bits are added to a one-way cryptographic hash function as an extra layer of security to the hashing process, ensuring that even if the keys themselves are compromised, they’ll be unusable because they are salted.
This approach helps ensure that data can never be accessed by anyone outside the user’s organization unless specifically authorized.
OpenPGP
Also recommended is the use of a non-proprietary, OpenPGP protocol for public key-based encryption and decryption. OpenPGP establishes a framework for how to combine widely available security algorithms into a secure system, and the OpenPGP community continuously enhances this open standard and source code through an extensive and thorough review.
OpenPGP enables the combination of symmetric and asymmetric encryption techniques that secures data without a compromise of performance. Using both fast symmetric encryption to encrypt the data and slower asymmetric encryption to encrypt the keys allows data to be encrypted efficiently and at a high level of granularity.
OpenPGP also specifies several important details, including proper salting and cipher modes. OpenPGP’s cipher feedback (CFB) mode also overcomes the weaknesses of less secure techniques, such as Electronic Codebook (ECB).
In addition to encrypting the data itself, IT must also encrypt metadata, both in-transit and at rest. This means that no identifiable information—not even file names or timestamps—is decipherable after it leaves the on-premises point of origin. Encrypted file metadata includes the file name, file size, timestamps, access control information and location within the directory tree.
Separation of the Data Path and Control Path
For most enterprises, the control path or plane responsible for data management and orchestration functions is handled by a component such as an operations center. This operations center, which represents the control path, needs to be separated from the data path or data plane, which includes all the functions used to store data in public or private cloud environments. Separating the data and control paths prevents malware from gaining access to data stored in the cloud.
On-Premises (Private Cloud) Data Path
When used with private cloud storage, all file data and file system metadata should be encrypted and stored solely in the private cloud object storage. The control path can use public cloud services to provide orchestration and management functions at scale. However, in this configuration, the data path should be entirely on-premises, and file data should never be transmitted outside the enterprise security perimeter.
Hybrid Cloud or Public Cloud-Only Data Path
When using public cloud storage, keep all file data and file system metadata encrypted and stored in public cloud object storage. Edge appliances can be deployed on-premises in a hybrid cloud configuration to cache active files locally for high-performance access. The appliances could also be deployed in the public cloud as part of a “cloud-only” data path configuration.
The control path can use public cloud services to provide orchestration and management functions at scale. In this configuration, the data path extends outside the enterprise security perimeter. However, if file data and metadata are encrypted using random AES-256 encryption keys that are also encrypted by a protected master key, this approach ensures that data remains secure while in-transit and at-rest. Data and metadata should never be visible to anyone without the master key, including vendors and cloud storage providers.
Integrations With the Big Cloud Storage Providers
Most enterprises are moving toward using the big three public cloud storage providers: Microsoft Azure storage, Amazon Web Services (AWS) S3 and Google Cloud Storage. These cloud leaders have invested billions in their data centers to ensure data reliability, performance, availability, security and accessibility.
Enterprises should always make sure their cloud storage partners offer geo-redundant storage with high levels of data durability, as well as extensive industry security and compliance certifications, including:
- ISO 27001 certification for standardized management of information security.
- American Institute of Certified Public Accountants (AIPCA) SOC 1 and SOC 2.
- Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR) Certification including available Consensus Assessments Initiative Questionnaire (CAIQ).
- Payment Card Industry Data Security Standard (PCI DSS) Level 1 compliance, required for handling credit cardholder personal information.
- Health Insurance Portability and Accountability Act (HIPAA)-compliant applications involving health-related and other personally identifiable information (PII) as well as Health Information Trust Alliance (HITRUST).
- FDA Code of Federal Regulations (CFR) Title 21 Part 11.
The rampant growth of unstructured file data and the need to store, protect, synchronize and collaborate on files globally have outpaced the capabilities of traditional network-attached storage (NAS) and file server infrastructures. Enterprises are running out of space, failing to meet backup and recovery service level agreements, putting off disaster recovery contingencies, spending too much of their IT budgets and, in some cases, compromising on security as they attempt to keep up. Keeping these six items in mind can help ensure that as this cloud migration continues, data will remain secure.
