Data Security In the Cloud

Posted on October 15, 2018

Author: Mark A. Denlinger

Originally published in October 2018

Copyright © 2018 Knox McLaughlin Gornall & Sennett, P.C.

Brief Overview of Cloud Computing

Cloud Computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (i.e., networks, servers, storage, applications and services) that can be rapidly released with minimal management effort or service provider interaction – primarily composed of 5 essential characteristics, 3 service models, and 4 deployment methods.

5 Essential Characteristics: (i) on-demand self-service; (ii) broad network access; (iii) resource pooling; (iv) rapid elasticity; and (v) measured service

3 Service Models: (i) Software as a Service (“SaaS”); (ii) Platform as a Service (“PaaS”); and (iii) Infrastructure as a Service (“IaaS”)

4 Deployment Methods: (i) Private Cloud; (ii) Community Cloud; (iii) Public Cloud; and (iv) Hybrid Cloud

Cloud Customers Make “Informed” Tradeoffs

Cloud computing transforms the way organizations use, store, and share data, applications, and workloads. Cloud customers must consider and take into account the following:

  • Critical nature of the software, data and services in question
  • Unique issues associated with cloud computing
  • Public, private or hybrid models
  • Availability and pricing of various alternatives

Requiring robust contractual protections may increase the price point and eliminate certain providers altogether.

Issues of Privacy and Security

Key Privacy and Security Issues to Consider or Address If Moving to the “Cloud”

  • Data location issues – where is the data “stored” or kept?
  • Locations of users accessing the data
  • Movement and storage of the data, and possible data transfer issues
  • Cloud provider’s use of subcontractors
  • Lack of transparency and control
  • Data breach issues and data destruction issues
  • Ability to impose security and privacy requirements/limitations

Data Control Issue #1: Access & E-Discovery

  • Issues with Accessing your Data: (i) on vendor computers; and/or (ii) moving it to customer computers
  • E-Discovery Requirements: (i) making sure the vendor does not get you in trouble by deleting relevant data; and (ii) making sure your opponent in litigation cannot subpoena the vendor

Data Control Issue #2: Restrictions on Use

  • Data used to serve the cloud customer
  • Data used by the cloud vendor: (i) vendor analysis and reporting; and (ii) improvement of products and services
  • Data used for privacy law compliance purposes
  • Restrictions on marketing with the data
  • Restrictions on locations of data
  • Restrictions on devices that can use or process the data
  • Compliance with a customer’s privacy policy
  • Restrictions or limitation on the aggregation of data: De-identified data: all PII removed; or Truly anonymized: PII removed and no key/code available to recreate it.

Contractual Management of Cloud Providers

Pre-Selection of Cloud Providers:

  • Investigate potential providers risk tolerance and control environment
  • Evaluate and consider: Risk management and oversight; Preventative, detective and corrective controls; and Use of vendors and subcontractors

Build protections into contract with cloud provider

  • Representations and warranties regarding scope of cyber security program
  • Obligation to disclose cyber security events
  • Right to review cyber security policies and procedures
  • Require specific vendor and subcontractor standards
  • Restrict where data can be stored/located/transferred
  • Requirements to return or destroy data

Assess the risk of using a cloud provider

  • Regular review of data protection and cyber security policies and procedures
  • Provider’s maintenance of cyber security insurance
  • Analyze and investigate provider’s processes and systems for dealing with security threats and protection of PII
  • Inquiry as to any past data breaches and security threats

Director and Officer Actions

  • Corporate board has fiduciary duty to protect corporate assets, including categories of data
  • Need to be proactive in protection of data and prevention of breaches
  • Maintain a Chief Information Security Officer
  • Establish a cyber security subcommittee
  • Have an incident response system in place
  • Directors and officers should be aware of organization’s cloud computing providers and the contracts governing those relationships

Top 12 Current Cloud Security Threats in 2018

  1. Data breaches – targeted attack, human error, application vulnerabilities, or poor security practices
  2. Insufficient identity, credential and access management – bad actors masquerading as legitimate users, operators or developers
  3. Insecure interfaces and application programming interfaces – accidental or malicious attempts to circumvent software user interfaces that manage and interact with cloud services
  4. System vulnerabilities – exploitable bugs in programs that attackers can use to infiltrate a system
  5. Account hijacking – gaining access to a user’s credentials and thus allowing the manipulation of data, provision of falsified information, monitoring of transactions, and redirection to illegitimate sites
  6. Malicious insiders – not only can access potentially sensitive information, but can grant himself or herself greater, expanded access to more critical systems and data
  7. Advanced persistent threats – form of cyber-attack that infiltrates systems to establish a foothold in the IT infrastructure of a company, enabling attackers to steal data
  8. Data loss – accidental deletions or physical catastrophes can lead to permanent loss of data unless proper steps taken
  9. Insufficient due diligence – organizations rushing to adopt cloud technologies and thus choose inadequate providers
  10. Abuse and nefarious use of cloud services - poorly secured cloud service deployments, free cloud service trials, and fraudulent account sign-ups via payment instrument fraud expose cloud computing models to malicious attacks
  11. Denial of services - designed to prevent users of a service from being able to access their data or applications
  12. Shared technology vulnerabilities - underlying components that comprise the infrastructure supporting cloud services deployment may not have been designed to offer strong isolation properties for a multi-tenant architecture or multi-customer applications, which can lead to shared technology vulnerabilities that can be exploited.

Author: Mark A. Denlinger

Originally published in October 2018

Copyright © 2018 Knox McLaughlin Gornall & Sennett, P.C.