This document discusses protecting data in the cloud and outlines some of the risks and best practices. It notes that risks change when putting data in the cloud due to factors like data location, multi-tenancy, and cloud provider administration. However, the approach to data protection remains the same - through governance, policy, user awareness, technical security controls, and ensuring trust and compliance. The document provides examples of controls that can be implemented at different points from the enterprise boundary to the cloud infrastructure. It stresses the importance of a balanced approach and treating cloud workloads similarly to on-premise systems with the same security controls.

1. Neil Readshaw, CISSP
Worldwide Chief Architect – Cloud Security
IBM Global Technology Services
@readshaw
Protecting Data in the Cloud
© 2012 IBM Corporation

2. A Perfect Storm for Data Protection
Big Data Industrialization Consumerization
of IT of IT
2 © 2012 IBM Corporation

3. How data protection in the cloud can go wrong
1. Security policy does not
specify appropriate use of public
5. Enterprise workload in the cloud
clouds, so users are unguided.
not subject to same security policy
as on-premise.
Security
Policy Customer Workloads
Administrator 3. No data security
controls at the Internet Cloud Infrastructure
enterprise boundary.
4. Cloud provider’s data
protection controls are
2. Without knowing neither documented,
better, user tries to trusted nor certified.
User upload confidential
Cloud
data to public cloud
Administrator
service “to do their
job”:
6. Mobile employee with
BYOD leaks data
Enterprise because device lacks
sufficient security to Cloud Service
Mobile User protect data at rest after Provider
retrieval from the cloud
3 © 2012 IBM Corporation

4. Risks change when putting data in the cloud
Example Risk What makes it different?
Information may no longer be protected by the same laws
Data Location and regulations as if it was in your on-premise
environments.
A multi-tenant cloud may contain vulnerabilities at any level
Multi-tenancy
in the architecture that compromise the isolation principle.
A cloud provider’s administrators are not necessarily
Cloud Provider
subject to the same security controls and regulations as in
Administration
the on-premise case.
While the extent of risks may vary from on-premise data protection, the way to
approach data protection is no different.
4 © 2012 IBM Corporation

5. To protect data in the cloud requires:
• A balanced approach:
• Governance, policy and process
• User awareness
• Technical security controls
• Trust, compliance and assurance
• Meeting or exceeding what is already
available in the enterprise IT
environments
5 © 2012 IBM Corporation

6. Governance, policy and process
• How effective is current your enterprise data protection
policy?
• And how accurate is the perception of its effectiveness?
• Make your CIO Office/Cybersecurity policies and
procedures cloud aware
• System inventory
• Endpoint security and compliance management
• Incident response
• Automation is a must
• Taking a risk based approach allows for a balanced
consideration of business opportunities
• Cloud is not one-size-fits-all, nor should the evaluation of
workloads and their suitability
6 © 2012 IBM Corporation

7. User awareness
• The division of security and privacy responsibilities
between the cloud service provider and cloud
consumer should be clearly and consistently
understood by all parties
• Include end users, not just owners/admins
• Demarcation of responsibilities will vary according to
the cloud service and its delivery model
• A program of ongoing education and awareness to
users provides an opportunity to update users as
the cybersecurity and compliance landscape
changes
7 © 2012 IBM Corporation

8. Technical security controls
What Where
• Identity and access management • Within the enterprise (desktops,
(IAM)
servers)
• Encryption and key management
• At the enterprise boundary
• Tokenization
• Secure delete • At the cloud boundary
• Anti-malware • In the cloud infrastructure
• Data loss prevention (DLP) • In the workloads/VMs running in
• Security and compliance the cloud
management
• Audit
• Secure software engineering
8 © 2012 IBM Corporation

9. Trust, compliance and assurance
• How is trust built between a cloud service
provider and cloud service consumer?
• Infrastructure certifications, e.g. ISO 27001,
SSAE 16
• Industry regulations, e.g. PCI-DSS
• History and experience of a vendor to provide
cloud/IT services
• Providing visibility into the operation of the
cloud is important for assurance
• Directly with the cloud service provider or
through a trusted third party
9 © 2012 IBM Corporation

10. When data protection in the cloud goes well
1. Security policy specifies
appropriate use of public clouds, 5. Enterprise treats cloud hosted
including incremental security workloads as per on-premise, with
controls, by workload. the same security controls, e.g.
IAM, AV, SCM.
Security
Policy Customer Workloads
3. Boundary security
Administrator devices performs
malware detection, Internet Cloud Infrastructure
policy based data
filtering/tokenization. 4. Cloud provider can
demonstrate
2. User has been educated compliance with
to know that confidential industry regulations
User data cannot be put in and standards.
Cloud
public clouds without
Administrator
encryption, and that SPI
cannot be put in a cloud
outside of the home
country.
6. Mobile devices (enterprise
supplied or BYOD) are
Enterprise managed, including security
configuration management. Cloud Service
Mobile User Provider
10 © 2012 IBM Corporation

11. Conclusion
• Data protection in the cloud starts with data protection in
the enterprise
• A balanced approach is needed
• Governance, policy and process
• User awareness
• Technical security controls
• Trust, compliance and assurance
11 © 2012 IBM Corporation

12. Thank you!
12 © 2012 IBM Corporation