Are we asking enough questions about cloud security for organizations to make informed risk management decisions? With cyber threats evolving, cloud servers are a major target and more than 80 percent of organizations store their information in the public cloud, according to Rightscale’s 2018 State of the Cloud Report. This begs the question of cloud security.

The cloud promises availability, simplified management and cost savings – yet the cloud’s openness is also its weakness, making it vulnerable to new attack vectors and compromise. For example, if the cloud host hardware or operating system are compromised, all data hosted can also be exploited via a process called hyperjacking.

Risk Management Issues with the Cloud

Organizations need to proceed with caution about what they store in the cloud. The way cloud storage systems typically work is to leave it up to the user to enable and configure encryption. Without a deliberate user effort, most data stored in the cloud is not encrypted at-rest. When encryption is enabled to encode data, most services store the keys themselves, and use the key to access the data whenever a user requests data. However, storing keys and data in a cloud service might leave users’ keys and their data vulnerable. An example of this was when the Open Secure Sockets Layer (OpenSSL) Heartbleed exploit was discovered.

When relying on cloud providers, mitigation and protection against exploits like this are often out of the organization’s hands. The organization has little to no visibility of the underlying protections and potential risk. Currently, there are several risk management issues that organizations face with cloud security:

1. Loss of physical controls of their data.
2. No visibility around subpoena and disclosure of their data when stored in cloud.
3. Accidental disclosure. It’s difficult to accidently disclose data when stored on a server in a data center that is cabled to the inside of a firewall. It is much more likely to occur when stored on a cloud service that could be accidently be misconfigured and made publicly accessible to anyone on the Internet, via a click.
4. Little to no established practices from cloud providers on access or guarantees for protecting user keys.
5. What happens to your Internet of Things or pubic key infrastructure (PKI) for your environment if the cloud provider decides to exit the service? Keys cannot be extracted or moved to new appliances. Data that is encrypted can be moved to wherever you want. If a cloud provider terminates a service, unless you have possession of the encryption key, you may be unable to move or recover your operations and data.  
6. Encrypted data where the key and data are held by the provider make contract and price negotiations much tougher as you are locked into their platform.

Proceed with Caution About What to Store in the Cloud

Should organizations entrust their private keys in the cloud? No. Storing private keys and identities in the cloud is dangerous. For PKI, the security of private keys is critical. Anyone who obtains a private key could impersonate the rightful owner and compromise information, potentially resulting in tremendous damage.

It is best to consider the cloud as a storage repository and maintain control of the encryption keys on premise. While there are a few cloud providers that offer storage and protection of keys, organizations should carefully consider whether their data is safe if both the encrypted information and the keys are stored in the same location. Key management principles often place the keys in separate containers, locations or facilities – and the encrypted information in another. Separating keys and data offers a form of protection.

What to Store and What Not to Store

Information that is generally fine to store in the cloud:

1. Non-sensitive data.
2. Encrypted Information. Insist on at least AES 128 symmetric or better or RSA 2048 encryption.
3. Encrypted backups of systems.
4. Applications and processes to manage data.

However, be wary of storing this type of information:

1. Encryption keys.
2. Identities.
3. Information that requires tight geographic boundary possession, unless the cloud provider has specific guarantees around data storage locations in the cloud. Think GDPR.
4. Don’t store data and their associated encryption keys at the same provider. Consider on-premises keys and cloud-based data.

A clear and strong identity management process and plan is critical. As hybrid enterprise solutions evolve, including cloud and on-premises software, the need for stronger identity management and identity as a service (IDaaS) is a must in order to make more informed risk management decisions.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.