Data Security in the Cloud – beyond Encryption

by Sudhindra Kumar, Principal Software Engineer at NextLabs

Kentucky recently joined 46 other states in the U.S. that enacted a data breach notification law.  California is the vanguard – enacting the first such law in 2002.  And now, the high profile data breaches of retailers Target and Neiman Marcus are serving as stimulants for revisions to and improvements of the breach notification laws.

Verizon recently released their “Data Breach Investigations Report”.   And, according to it, around 45% of the breaches happen at the ‘Servers’ followed by “User Devices”, which account for around 20% of the breaches.  The number of breaches at the ‘”Servers” have been growing exponentially over the last few years and proliferation of cloud based services could very well be contributing to this rapid increase. The report also illustrates that 92% of the 100,000 incidents analyzed over the last decade can be categorized in just nine basic patterns:

1. Point-of-Sale Intrusions
2. Web App Attacks
3. Insider Misuse
4. Physical Theft and Loss
5. Miscellaneous Errors
6. Crimeware
7. Payment Card Skimmers
8. DOS Attacks
9. Cyber Espionage

According to a report based on publicly available information, more than 200 million records have been lost or stolen in 254 data breaches in the first 3 months of 2014. This is an increase of 233% over the same period last year. However, this figure does not include a lot of data breaches that are never reported. Some are not reported to protect the reputation of the company, while others could be ignored.  Interestingly enough, off all data breach occurrences, only 1% involved encrypted data, which can render the data useless.

Also of interest are cloud services.  With the growth in server attacks, cloud services are prime targets, and cloud data encryption is therefore indispensable.  In addition to cloud data encryption, here are some critical factors that need to be considered while signing the SLAs with cloud service providers:

1. Data Residency
2. Incident Response Plan
3. Business Continuity Management
4. Multi-Tenancy

Despite all the care that you might take, breaches might still occur.  This is where the need for a well-defined “Incident Response Plan” and “Business Continuity Management” comes in. According to the 2014 Ponemon Cost of Data Breach study, having an Incident Response Plan and Business Continuity Management (BCM) will decrease the per capita cost of a data breach.

Therefore, ensure that you have a good monitoring infrastructure in place to know when to trigger an incident response, and make sure you have your business continuity plan in place so you can activate it when required. Diligent planning can help you minimize the impact of a breach as you migrate more data to the cloud.