I believe we talk to little about information security assurance in regards of cloud services.
"If information X can be accessed and read by anyone it's not intended for then your information security assurance level for information X is not at 100%.”
Information security assurance level
If you agree with the above statement then we have a beginning of an approach to measure how secure your information X is today and how secure it needs to be for you to be OK with it.
We can call this the information security assurance level.
0 is when you have absolutely no confidence in the access to and protection of your information. The scale up from there varies but I personally prefer to see it as a scale without a fixed upper number - information security assurance levels can pretty much always be improved.
Information security assurance levels should be part of a continuous evaluation process to be valid as measurement.
Example - my grand fathers brilliant cake recipe
Some things are just worth going the extra mile to protect!
I store this treasure in an old nuclear bunker that has military grade physical access systems including dual approval of access and perimeter guarded by armed security staff that all have passed very high security clearances. In this bunker I have a Euro Grade 5 safe with a paper containing the written down recipe.
The recipe was written down by me alone on a very small island in the middle of the ocean on a hard surface and under a blanket shadowing my writing. Both the surface and the pen were grinded down and destroyed directly after. The note was placed in between two led plates and sealed before placed in the safe directly. The safe was transported to the safe storage in the bunker and all security measures and alarms etcetera activated and proceedings overseen by me before I allowed myself to rest.
I believe above example demonstrates a high information security assurance level for the recipe. Mind that there is still many possible improvements to be made though; additional physical protection, additional staff assurance, encryption of the recipe, vendor assurance (the safe, bunker, transport company, pen etc) self destruct system in place, contingency plans?, fire? and we can go on and on.
Cloud service with high enough information security assurance level?
Consider what information (and type of) you want to potentially use a cloud service to handle and how high level of information security assurance level that information require from a internal and external compliance perspective.
Consider the laws and regulations that governs the cloud service you assess and how those impact your information security assurance levels
Consider vendors (cloud, communication, IT, staffing etc) compliance with your internal and applicable external security frameworks and how that impact your information security assurance levels
Consider perimeter protections in place and how those impact your information security assurance levels
Consider how you and third party handle the information (routines and procedures) and how that impact your information security assurance levels
Consider different authentication solutions and how those would impact your information security assurance levels
Consider an encryption solutions for both moving and resting data and how that would impact your information security assurance levels
Much more to say here but above gives you an idea.
How to increase your information security assurance level for cloud services
Maybe you didn't reach required level of information security assurance levels using a cloud service for some of your information when you assessed that as an option? Still tempting from a ROI and efficiency perspective? Don't despair - there is some measures you can take to improve and increase information security assurance levels for your organization including for cloud services used.
Consider using PKI or managed PKi (mPKI)
What!? Henrik.. really.. is that old horse still alive?! Indeed it is! I also want to boldly state that it is an excellent way of improving many organizations information security assurance levels while enabling for example cloud services in the same!
PKI can give you back the control over your information even in the cloud. It have the potential to drastically increase the information security assurance level for for many use cases.
Cryptography was originally developed to secure communications, i.e., data in transit (alternatively, data in motion). A central objective of any cryptographic system was – and still is – to ensure that messages exchanged between senders and receivers were safe from unwanted interception. However, the use cases and requirements for encryption have greatly expanded over the last few decades, in large because of the growth of IP networking in general, and of sectors such as e-commerce in particular.
For everyone from retailers to health care organizations, it is often no longer sufficient to simply protect data in transit. Data at rest must also be secured to meet the requirements of rules such as the Payment Card Industry Data Security Standard, or to simplify compliance with country-specific legislation like the Health Insurance Portability and Accountability Act in the U.S. Plus, organizations must do so even as the variety and volume of data exchange continues to increase sharply.
Encrypting data in motion and at rest are two distinct tasks, each with its own set of best practices and tools, although there is some overlap. Solutions such as public key infrastructure (PKI) and trusted identity ecosystems are crucial when it comes to data security, and ultimately ensuring that your information is as secure as possible no matter where it is.
Data in Transit: Encrypting Assets as They Traverse Networks
Securing data in transit is essentially securing data as it passes over a network. The challenge here is that the IP suite is full of protocols – HTTP, FTP and Telnet, to name a few of the most commonly used ones – that transmit data in plaintext, which means that there is the possibility of someone monitoring or intercepting messages and being able to read their contents.
This in turn could lead to unauthorized access to sensitive resources, as well as costly data breaches.
Encryption is a vital mechanism for closing these liabilities. For starters, the protocols mentioned above all have encrypted equivalents, namely HTTPS, FTPS and SSH, respectively. The growth of HTTPS traffic has been especially pronounced in recent years.
Both symmetric and asymmetric encryption may be used to protect data in transit. Symmetric has the advantage of being relatively fast and not too intensive in terms of the computational resources it requires. Asymmetric requires greater performance since it often involves exponential operations. Widely used encryption mechanisms such as SSL/TLS utilize both symmetric (for bulk data) and asymmetric (for key exchanges) types.
Beyond SSL/TLS, other forms of encryption are utilized to further protect in-transit data such as email. S/MIME and OpenPGP are just two examples; the exact combination of standards will correspond to the interoperability requirements and specific email services in play. End-to-end email encryption through a PKI-based solution, with digital signatures and authentication, is also an appealing option for organizations with stringent rules for email integrity. How data in transit is protected will depend on the type of communication – internal, business-to-business, etc. – and the specifics of the data being exchanged (e.g., is it privileged?).
Data at Rest: Protecting Payment Card Data and Other Stored Assets
Probably the most relatable example of data at rest is information sitting on a hard disk drive somewhere. Encryption for this data provides an extra form of protection in the event that the physical device housing it is lost or stolen.
Going after data at rest has often been the path of least resistance for attackers since much of it has traditionally been unencrypted and of high-value. Common at-rest items may include payment card numbers for e-commerce transactions, along with other financial information sitting in your company databases.
Encrypting data at rest presents several significant challenges:
- At-rest data such as credit card databases is queried literally millions of times a day in some cases. Its performance can be degraded by the presence of cryptography.
- Implementing full PKI to protect files, folders and entire disks containing data at rest is often perceived as a costly and complex undertaking.
- Rules such as PCI DSS stipulate what types of data may and may not be stored, and what protections should be extended to them. Storing this data puts a system in scope.
Full-disk encryption solutions for platforms and various public cloud services have emerged in recent years as encryption of data at rest has become a bigger concern for organizations. Still, many firms forego this necessary measure. The ideal way forward is to pursue a security strategy that utilizes proven tenets such as encryption, authentication, digital signatures and trusted identities.
"Strong user authentication, authorization and full disk encryption can automatically protect the entire contents of a hard disk from unauthorized access without impacting user productivity," explained the authors of the Entrust Datacard white paper "Protecting Your Most Important Asset: Information, How Data Security Mitigates Risk and Enables Compliance."
In transit or at rest, data must be shielded from prying eyes and kept exclusive for its intended recipients and properly authorized individuals. By securing digital identities and information with proven security solutions, your organization can ensure it complies with applicable rules and regulations and avoids the damage of a data breach.
If you know what information security assurance level you need you can assess if you can reach that level applied on different use cases including cloud services. Know where you are and where you need to be.
Example of related products and services we can help you with together with our PKI, mPKI, Authentication, IoT Security and SSL/TLS vendor partner Entrust Datacard and our resellers and MSSP partners
Your own PKI on premise solution managed by your own staff staff and with a state of the art on premise HSM solution attached. All required products, support, maintenance, services, professional services and education included.
Managed PKI with a variety of deployment methods including on premise, co-location, hybrid cloud and full cloud.
Enterprise-grade authentication made easy. The greatest value of an authentication portfolio is the ability to unleash the full productivity and innovation of an enterprise — while protecting what’s most important. So, how do you identify an authentication solution that is truly a digital business accelerator?
Ensuring a trusted Internet of Things. Establish a connected ecosystem that is secure by design from device manufacturing through the entire IoT lifecycle. Accelerate IoT deployment and time-to-value by enabling a secure and trusted ecosystem of people, applications and things.
SSL / TLS certificate services. Public trust certificates from one of the most trusted CA;s in the world - Entrust Datacard. Use cases such as mail, digital signing, web server, mail. Wide variety of certificate types such as private, OV, EV, multi domain, wildcard. Probably the best certificate management platform there is for enterprise customers.