Discover PerformanceHP Software's community for IT leaders // September 2012
Secure the data—not the cloud
An information-centric approach helps overcome lingering questions about cloud security, says HP cloud security expert Ed Reynolds.
As cloud adoption picks up steam, security remains a top enterprise concern. Cloud security expert Ed Reynolds, a chief technologist in HP Enterprise Services, says an information-centric approach, rather than the usual focus on securing infrastructure, is what makes sense for today’s shared and open computing environments.
Q: What is an information-centric approach, and why is it better for cloud security?
Ed Reynolds: Imagine your security and protection flowing with your information, wherever it goes, rather than being dependent on the infrastructure surrounding your information. A good example of information-centric security is encryption.
When you encrypt your data, the protection travels with the data regardless of where it is—on your network and in one of your databases, or outside your firewall and residing on your cloud service provider’s system. Authorized users need a key to access and unlock the encrypted data. When encryption is used properly, the data is effectively self-protected wherever it goes. Encryption can greatly enhance data security in dynamic cloud environments.
Q: And what makes infrastructure-centric security less suited to the cloud?
Reynolds: Infrastructure-centric simply implies that an organization focuses its security on infrastructure and hardware as a way to protect its information. For instance, it uses firewalls to build a hard shell around its data.
With today’s more open computing models, infrastructure-centric security isn’t sufficient. To take advantage of cloud computing, mobility and social media, your information needs to flow outside your facilities and beyond your enterprise, yet remain secure. So you can’t focus your security on the infrastructure and hardware alone.
Here’s a good example of what I’m talking about: In an infrastructure-centric security model, when organizations want to delete sensitive data, they often verify its destruction by degaussing the disc that holds the information. Degaussing a disc wipes out all the data on it, by removing any magnetic remnants of the data. But, let’s say you want to use degaussing to destroy some sensitive information that your cloud service provider has stored on its hard disc. It’s more than likely that your cloud service provider will have other customers’ data on the same disc, so there’s no way it can degauss the disc to destroy only your data.
Therefore, the way to truly protect your data is to make sure the information itself is self-protected. For this reason, encryption is becoming increasingly popular with the public cloud. You destroy your encryption keys and you have effectively destroyed the data, a process referred to as “crypto-shredding.”
Q: What other types of information-centric security techniques are there?
Reynolds: Other approaches include information lifecycle management (ILM), identity and access management (IAM), digital rights management (DRM) and information classification schemes. Each focuses on securing the information itself and protecting it according to its risk profile, rather than securing the facility that contains it. For instance, you would apply more stringent security measures to customer Social Security numbers or credit card information than you would, say, to company marketing materials.
The point is, you’re not treating all your data the same and just building a hard perimeter around your data center, hoping no one breaks through. You’re starting with the information itself and applying various degrees of security according to its security risk.
Information classification serves as a good foundation, because it forces a CIO to understand the risk profile of all information. And it’s particularly useful with the public cloud, where your information is stored on shared servers, potentially alongside another customer’s.
Identity and access management (IAM) is equally important. IAM establishes who, or what, is allowed to access and/or modify the data, according to policies established by your information classification controls.
Another emerging technique is tokenization. Tokenization involves the use of fake or dummy data, which maps back to a data store where the real data lives. Tokenization is used for processing credit card transactions, but can also be used for processing other sensitive information as well.
Q: Are there any challenges with encryption or information classification that IT leaders need to be aware of?
Reynolds: Yes. As effective as it is, encryption comes with some overhead and can present a management challenge. As I mentioned, once you encrypt your information, the only way to decrypt it is with an encryption key. You therefore need to secure your keys, but also make sure they’re readily accessible so your information is available the moment you need it.
So key management is a critical part of any encryption program and should not be overlooked. If you don’t have a solid key management strategy in place, the encryption can actually become an obstacle and vulnerability.
I recommend that IT leaders hire or consult expert cryptographers when planning their encryption strategy. There are many nuances to encryption, and the tactics used to undermine encryption are always evolving.
Mature organizations may have robust information classification methods already in place, but for many organizations it could be new. The challenge with IAM, often times, is extending it into the cloud. That’s because IAM was originally designed for authentication and authorization within the enterprise.
Q: Besides improved security, are there other benefits to an information-centric approach?
Reynolds: Assuming you begin with risk assessment and implement a classification scheme, you’ll gain a deeper understanding of the information you have, how it’s used and where it’s stored. That alone is valuable. You’ll also end up with risk profiles for all your information, which will make you more efficient when managing enterprise information. You need to have an inventory of your information assets in order to identify vulnerabilities and assess business risk.
In addition, once you understand the risk profile and security requirements for your information, you’ll be better informed and prepared to choose the right cloud service provider. You’ll know what risks you’re willing to take in putting different types of data in the cloud and what security guarantees you’ll need in return. With this information, you’ll be able to determine whether a cloud service provider offers the right level of security, given your tolerance for risk.
Applying an information-centric security technique like encryption allows you to be more fluid with your information. If your information is encrypted, you can more easily take advantage of public cloud computing services, or mobile applications where your information is more exposed. So it gives you more flexibility with the types of computing platforms you use, and it enables more agility in terms of responding to your business.
Q: What kind of strategic advice would you give CIOs and CISOs interested in the information-centric approach?
Reynolds: The most important aspect of an information-centric security approach is that you implement it at the architecture planning and application development level. The “build in, not bolt on” approach to security has been a great rallying cry, but it’s only been partially implemented.
With an information-centric approach, security must be treated as equally important as business requirements when designing an application or information system. Whether it’s for the cloud or a mobile app, your information must be self-protected by design and not reliant on the infrastructure or devices it will live on. If you don’t do this, you can’t take advantage of today’s more open environments, like the cloud and mobile.
I also recommend that CIOs make sure they have a seasoned information security executive on staff and to work with external experts, because the threat landscape is constantly evolving.
Q: Where should a CIO start? What initial steps can an IT leader take to adopt an information-centric approach?
Reynolds: I typically advise IT leaders to begin with an inventory of his or her organization’s information, if they haven’t already. They need to know what information they have, who the custodians are and what the risk profile is for that information. Is the information critical to the enterprise? If so, what are the security requirements? What enterprise information must comply with regulatory laws like HIPAA and PCI?
Once you’ve classified your information and you understand its risk profile, you can then apply the appropriate information-centric techniques that allow you to use it confidently in the cloud, such as encryption or tokenization.
HP Fellow Ed Reynolds led the development of HP Enterprise Services’ cloud strategy, and co-wrote the white paper, “Minimize the Risk of your Cloud-Based Services.” As an HP cloud advisor, he helps enterprises on their cloud journeys. Contact him at firstname.lastname@example.org.