Cloud Computing: why security is not the real issue – its data classification.
Mon 30 Jan 2017 | Michael Mudd
The past five years has seen widespread adoption of the technologies that make up the outsourcing proposition that is Cloud Computing. International Data Corporation (IDC) said that worldwide revenues from public Cloud services are expected to reach more than US$195 billion in 2020 – more than double the US$96.5 billion in revenues forecast for 2016 and represents a compound annual growth rate (CAGR) of 20.4% over the 2015 – 2020 forecast period (1).
Uptake has been rapid in diverse industries with financial services, manufacturing, professional services, accounting for a third, with the fastest growing sectors coming from media, telecommunications, and retail. 83.7% is being spent on Software as a Service (SaaS) and Platform as a Service (PaaS) the balance 16.3% in infrastructure as service (IaaS) according to IDC. Gartner further warns that legacy enterprise systems are not suitable for the demands from today’s business environment, being too complex to secure. By 2018, at least 30 percent of service-centric companies will move the majority of their ERP applications to the Cloud (2). Thus the Public Cloud is not just a cheap back end for web services; it is now mainstream computing for enterprise and government.
What is driving this growth is the increasing demand for IT systems to perform at greater efficiency in diverse environments, from desktop to notebook and tablets and cellphones, for an increasingly mobile workforce and customer/citizen base. The proliferation of application user interfaces (API’s) has enabled data to be more accessible from’ light’ devices – tablets and mobiles, as well as traditional PC’s.
The Cloud answers cost effectively the sort of problems that in the past would have simply been addressed by buying more hardware. This has great practicality in the data mobile world; hence enterprises are increasingly designing interconnected oriented infrastructure™ (3). A recent report from Equinix indicated that over a third of companies they polled who have interconnection solutions report more than US$10 million in realised value (4). In the hardware market, convergence with Cloud has led to smaller footprints and brought servers and storage together in one box along with additional new functions, reducing the physical size of on premise data centres, with attendant savings.
Many industries in the private sector provide services that are subject to government oversight through regulatory regimes. For example, healthcare, banks, insurance companies and securities market makers, are key sectors of society that have been regulated for decades. The uptake of Cloud by major banks is almost universal in one form or another from office productivity to customer service management and business analytics. The question that has clearly been answered by the risk managers in both the banks and their regulators is; they have addressed security and mitigated the risk through data classification.
Security and data classification
Frederick II, better known as Frederick the Great, was King of Prussia from 1740 until 1786. Some of his most significant accomplishments during his reign were many military victories: he rarely lost. His understanding of tactical attack, focusing his forces in one flank, even though outnumbered, and breaching the enemy defences led him to successive victories. At the Battle of Rossbach in 1745, Frederick led his forces to defeat a combined Franco-Austrian army of 41,000 with only 21,000 soldiers, taking only 500 casualties to the enemies 10,000. It was the application of the ‘oblique attack’ at the enemy’s weakest spot that gave him the edge. He was famously quoted; “He who defends everything defends nothing “, meaning that given enough force focused at one particular point, a determined foe will breach even the strongest of defenses.
This statement today is as true for IT security as it was then for physical security. In the context of defending your IT systems against attack, you need to make an informed risk-based judgement regarding what is important to be defended and with what resources. Then classifying your other assets and allocate budget/resources according to the value of the data. Otherwise you run a risk of spreading your forces too thin. This is what the data thieves are looking for; the weak spot in your defence. If all data is protected equally, then one penetration puts your entire data set at risk.
IT security is primarily concerned with data risk management. It is the practice of assessing the risk of data loss and mitigating those risks, from whatever causes; natural or man-made disasters, theft and accidental or deliberate destruction to name a few. Cyber incidents are a fact of contemporary life, and significant cyber incidents are occurring with increasing frequency, impacting public and private infrastructure no matter where it is located. Mitigating loss of data is therefore a priority.
Security and risk management is a given requirement, but how do you address the elements that make this up? In addition to the agility and economic benefits in the Cloud, when it comes to regulated industries there can be a close integration of compliance and security with enhanced visibility. Cloud platforms also may act as “system containers”, providing a new kind of defence in depth (as the Cloud is not only a programmable infrastructure, but a reacting infrastructure; it allows for monitoring, logging and alerting of “interesting” events).
It has been theorised that the less connected Data Centre staff are to the data owner, the less they may know how to monetise it. The damage caused by data theft may therefore be lower in an outsourced Cloud environment than in – house. Recent leaks from large government organisations and private enterprises gives support this hypothesis.
Lost or stolen laptops and mobile devices are a problem for all enterprises and governments. For example, the Western Australian State Government reported 1400 laptop and mobile devices missing in 2015 double that of the previous year (5).
The data exposed has not been revealed. The loss of a device may involve loosing non backed up data; a Cloud service means that does not happen (depending on the specification of the service) as the device would only have the minimum cached. When it next logs on, this may be removed by Cloud security software. Thus data loss risk may be better managed using a Cloud service.
To fast forward to the 20th century, former US Secretary of State Dean Rusk once said that “If you protect your paper clips and diamonds with equal vigor, you’ll soon have more paper clips and fewer diamonds.” In other words, not all data is created equal, you need to classify and protect it accordingly.
My own experience in product management for a major bank revolved around not just innovation in the bank, but internal risk assessments of such innovation and then discussing with the regulator on the risks. Cloud API’s allow data to be accessed – but not stored – on mobile devices which drives down the costs (as they have very little memory) and thus also increases security in the event of loss.
In discussions in many countries I have often heard public sector organisations say they are reluctant to move their data to the Cloud because they’re concerned about unauthorised access or it being stolen or worried that it could wind up in the wrong hands. When you look at the information within most government organizations, only about one fifth – 20 percent – requires a high level classification.
Of the remaining 80 percent, the vast majority is public, non-classified information. Despite this fact, many governments apply the same restrictions to all their data sets, whether they truly need to be classified or not. In a nutshell, governments are managing their paper clips with the same vigour as their diamonds and this is both expensive and unnecessary today.
When you look at the larger Cloud service providers, they all utilize geographic replication, building databases in many locations around the world, which enables them to host relevant data or services in regions unaffected by local or regional emergencies. Therefore, if a government loses access to its on-premises servers due to an environmental disaster, political conflict, or other unforeseen crisis, public Cloud services can continue to safeguard data or to support essential government services.
A full-spectrum DLP strategy is therefore required to ensure there is no data loss from the growing use of proliferation of mobile devices and apps; the rise of ‘shadow IT’; the decline of perimeter security, and the data explosion in increasingly complex virtualised environments. Data therefore is either unclassified or classified.
The British (UK) government provides a clear example of data security (in terms of the likely impact resulting from compromise, loss or misuse) and the need to defend against a broad profile of applicable threats in a recently simplified classification definition which enables greater use of outsourced Cloud services.
They reduced the number of its security classification levels from six to three. Each classification provides for a baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat. (6)
Official – lowest level the majority of information that is created or processed by the public sector. This includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile.
Secret – Very sensitive information that justifies heightened protective measures to defend against determined and highly capable threat actors. For example, where compromise could seriously damage military capabilities, international relations or the investigation of serious organised crime.
Top Secret – The most sensitive information requiring the highest levels of protection from the most serious threats. For example, where compromise could cause widespread loss of life or else threaten the security or economic wellbeing of the country or friendly nations.
Under the revised rules the vast majority of information may be classified at the lowest level – estimated at 90% – including all routine public sector business, operations and services. The UK has determined that most departments and agencies will operate exclusively at this level. This includes the day to day business of government, service delivery and public finances. This also includes public safety, criminal justice and enforcement activities. This covers legal obligations under privacy and data protection laws, including health records. Such data is suitable for processing by qualified Cloud Service Providers.
This has led the UK Ministry of Defence for example to announce in September 2016, that they will be using Cloud processing and storage services from a major provider for office productivity solutions. Clearly the MOD takes data security seriously and has classified what to outsource to the Cloud and what not to.
Apart from the foregoing, which is applicable to both the private and public sector, government has additional demands in that its IT systems are part of the ultimate cultural history of the people. In addition, government has to interact with both citizens and business in formats and protocols that do not overly add an additional burden or expense; therefore the use of industry and open standards, such as the International Standards Organisation (ISO) series is important.
In particular as well as adherence to the international security standards (ISO 27001, 27002, 27017 and 27018, (7) etc), government should also consider ISO 38500; Governance of IT for the organisation. When considering national standards, (e.g. Singapore’s MTCS (8), Australia’s ASD (9), US NIST (10) ) compatibility with ISO standards and certification schemes for specific security policies for service providers is important so that they enable cross border data flows. Protecting the integrity of data through standardization is as important in the digital economy as in the physical economy and is essential for global trade today.
As outlined above, data such as; land titles, court records, census and statistics, may have a higher classification than other public records, but considerable economy may be made and data well protected using Cloud based SaaS systems, as well as non-critical communications, such as hosted email services. These services are very secure, for example the Office 365 productivity suite, which was available only via the Internet, can also be accessed now by a secure VPN private connection and is encrypted from end to end; thus is more secure than on most on premise alternatives. (11)
In conclusion, large enterprises and government may now take advantages of the Cloud and be in compliance with sound security and privacy practice through the application of appropriate data classification policies. Protecting data is not easy: but reassessing data classification will ensure that you focus your security budgets where they are needed most – to ensure the safety of your’ diamonds – forever.
(1) https://www.idc.com/getdoc.jsp?containerId=prUS41669516
(2) http://www.gartner.com/newsroom/id/2658415
(3) http://www.equinix.hk/ioa/
(4) http://www.equinix.hk/resources/analyst-reports/enterprise-of-the-future/
(5) http://www.abc.net.au/news/2015-10-05/number-of-stolen-wa-government-laptops-and-mobiles-increases/6828346
(6) https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/251480/Government-Security-Classifications-April-2014.pdf
(7) https://view.officeapps.live.com/op/view.aspx?src=http://www.iso27001security.com/ISO27k_Information_classification_matrix.xlsx
(8) https://www.ida.gov.sg/Programmes-Partnership/Store/MTCS-Certification-Scheme/MultiTier-Cloud-Security-Certified-Cloud-Services
(9) http://www.asd.gov.au/infosec/irap/certified_Clouds.htm
(10) http://csrc.nist.gov/publications/drafts/800-171r1/sp800_171r1_draft.pdf
(11) http://go.microsoft.com/fwlink/p/?LinkId=401240
