Weaponized Gerbils and Cloud Security
--
Cloud Security is just one of those topics that seems to generate some seriously emotive views. Discussions around data location, data types, ownership, responsibilities and lest we forget, licensing models, are all viable targets for the most impassioned speeches around ‘good practice’ in the cloud.
And rightly so, since cloud security is rarely one size fits all.
It can also be an emotive area when dealing with UK health data. The UK’s Department of Health is increasingly taking a ‘cloud first’ policy as part of its response to the Government’s Digital Strategy and is hurrying to understand what this actually means in a real world setting.
CLOUD MYTHOLOGY
The Greek’s were renowned for their Mythology and as an aside they had a cloud based deity called Nephele, perhaps he will bless your cloud migration strategy? And it’s on this subject of myths that you will have heard all manner of weird and wonderful facts surrounding the cloud…
- The cloud will fix everything…
- It’s in the cloud, not a data center…
- The cloud just isn’t secure!
- It’ll become the cloud providers problem…
- Our data might disappear…
- You need helium balloons to get data into the cloud
Ok, apart from the last one, you will likely have heard similar statements being banded around your organisation.
Cloud Security is often viewed as maturing, but we should not forget that it is fundamentally based on very mature and well used solutions and principles. Encryption techniques in the cloud are just the same as those used in a local data center. Access control merits the same due-diligence whether cloud based or located in the server room next door.
Standards do help though, and it is reassuring to hear that Microsoft Azure has recently adopted ISO/IEC 27018. This ISO standard has a nice warm and cozy description that will send you off to sleep feeling all safe and secure:
“ISO/IEC 27018 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.”
Microsoft’s announcement offers to remind us of the five guiding principles that a cloud service provider (CSP) must follow:
- Consent: CSPs must not use the personal data they receive for advertising and marketing unless expressly instructed to do so by the customer. Moreover, it must be possible for a customer to use the service without submitting to such use of its personal data for advertising or marketing.
- Control: Customers have explicit control of how their information is used.
- Transparency: CSPs must inform customers where their data resides, disclose the use of subcontractors to process PII and make clear commitments about how that data is handled.
- Communication: In case of a breach, CSPs should notify customers, and keep clear records about the incident and the response to it.
- Independent and yearly audit: A successful third-party audit of a CSP’s compliance documents the service’s conformance with the standard, and can then be relied upon by the customer to support their own regulatory obligations. To remain compliant, the CSP must subject itself to yearly third-party reviews.
Will AWS, Google, Apple and other CSP’s follow this example? We can only hope so…
“UNLEASH THE WEAPONIZED GERBILS…”
In the meantime, as you deal with unfounded ‘facts about the cloud’ and wrangle with the rights and wrongs of hosting personally identifiable data in the cloud, I recommend you include a brief statement in your cloud strategy under the following heading and see if it helps to dispel myths around cloud security…
CLOUD STRATEGY: SECURITY IN THE CLOUD
“In order to protect our organization’s data in the cloud, we will be deploying a team of highly trained weaponized gerbils. Once they have secured the firewall perimeter we will obviously deploy mildly angry squirrels to ensure that no data is accessed by unauthorized individuals…”
Gareth Baxendale FBCS CITP
Head of Technology NIHR Clinical Research Network.
Vice Chair BCS Health and Care Executive
