How to secure data in cloud? Stick with it like glue.
Today's agency IT managers must be ready to safeguard data — wherever it goes
As agencies move their applications to multitenant, cloud computing facilities, the layers of security that were once required to protect data in different locations and states of use have also become centered on the cloud.
The concentration of computing resources is changing the nature and methods of agency data security, experts say. In the emerging world of cloud computing, data must now be protected while at rest, in transit and even when accessed by those authorized to handle it.
In effect, security managers must now be prepared to protect data from the moment of its creation, through its move to the cloud and after it is taken into the wilderness of users.
In the cloud, good policy enforcement makes good neighbors
Cloud security awaits encryption breakthroughs
Cloud security is easy if you don't want perfection
IBM rolls out cloud-based backup, recovery and archiving services
“In order to protect it adequately and ensure that data is safe, you have to follow it wherever it goes and protect it every step of the way." said Marc Olesen, senior vice president and general manager of content and cloud security at McAfee, a provider of security technology and services.
Today, protections, whether they are manually or automatically applied, can be configured to block users from printing, saving content, downloading it to a CD or thumb drive, copying or pasting it, or even forwarding e-mails to nonauthorized parties.
Failure to properly apply and enforce security permissions can expose data and files to hackers or open the door to data leakage by employees, contractors and agency collaborators — intentionally or unintentionally.
The technology to apply protections at this stage of the security chain — when users are handling the data — is sometimes called data rights management, enterprise rights management or information rights management.
Traditionally, such technology has been expensive and complex to put in place, said Mike Duffy, chief operating officer of management consultancy DRT Strategies Inc. and former Treasury Department CIO.
However, if security administrators are using strong authentication technologies and public key-based certificates in combination with a data rights management toolset, they should be able to manage access to data, Duffy said. But how well those tools work together in the cloud computing arena is a story that is still unfolding, according to experts, who say the next frontier in information security is protecting so called data in use.
“Our philosophy around that has been a follow-the-data philosophy,” Olesen said. "You do have to know where your data is and then you have to follow it,” he said.
Data rights in the cloud
As a cloud provider, RightNow Technologies tries to take an in-depth approach to security, said Ben Nelson, the firm’s chief information security officer. The company provides cloud-based customer relationship management solutions to defense and civilian agencies.
Nelson stressed the importance of providing security awareness training for cloud users and taking time to think through access control and authorization strategies upfront. After that, if data should leak into areas where it is exposed to misuse, organizations can rely on data rights management tools as a part of a total data in-use protection strategy.
As a software-as-a-service provider, RightNow develops its own rights management tools that enables it to turn over access control privileges to IT administrators at the agencies the company serves. However, many data rights management tools are focused on the enterprise and thus are not geared for cloud vendors trying to deliver enterprise services, Nelson said.
“I haven’t found one that is a good fit for a cloud vendor who is trying to turn those services back around and offer to customers,” he said. “We’ve built into our product the ability for customers to manage their own access and authorization profiles,” Nelson noted.
But perhaps things are about to change.
In April, GigaTrust, a developer of enterprise rights management software, unveiled GigaCloud, billed as the first software-as-a service ERM solution offering in the industry. GigaCloud is designed for cloud providers to help users apply and enforce security permissions. To that end, GigaTrust formed a partnership with Terremark Worldwide, a provider of IT infrastructure services, which Verizon Communications purchased in April.
GigaCloud combines the GigaTrust Enterprise Plus product suite and Microsoft Active Directory Rights Management Services (AD RMS), which provides encryption and key management with native implementations for Microsoft Outlook, Exchange, SharePoint and Office.
Traditional ERM is normally delivered as an enterprise application to authenticated users within an enterprise directory, said Harry Piccariello, GigaTrust chief marketing officer, who said a midsize ERM deployment can take six to nine months to deploy.
However, with budget and resources constraints, an ERM deployment often falls into competition with other security projects, such as full-disk encryption and data loss prevention, which have proven to delay full-scale ERM adoption. Offering ERM as a cloud-based software as a service eliminates that obstacle, Piccariello noted.
View from the network
GigaCloud extends and enhances AD RMS for the cloud by providing multitenant use and centralized content policy management. “In a perfect world, we would have end-to-end encryption” for data protection, said Susie Adams, chief technology officer at Microsoft Federal.
However, assigning data rights depends on the area of focus: Is it e-mail or data-at-rest? From an access control perspective, it is all about establishing user and data access policies. Those policies must be defined first, and then agencies need to implement some type of identity infrastructure that can uphold the policy, she noted.
“Microsoft looks at things at the network level,” Adams said, with a focus on data in transit, at rest and at the particular workload level, such as Microsoft Exchange or SharePoint.
In addition to AD RMS, Microsoft offers Active Directory Federation Services, which can be installed on Windows Server to provide single-sign-on access to systems and applications located across organizational boundaries. It incorporates a claims-based access control authorization model for application security and links a user’s identity and attributes stored across multiple identity management systems.
For instance, AD RMS can be used if someone sends an e-mail with a Word document attached that has sensitive information. The sender of the e-mail might want to send it to a group of people but wants to ensure that they do not pass it on to someone who does not have permission to view the document. The sender can go inside Microsoft Outlook Web services, create a new e-mail and set permissions that restrict use of the document and manage credentials, Adams said.
The sender has control to give read-only privileges or allow people to forward to a particular group inside Active Directory and even encrypt the document. If the recipient of the e-mail can’t authenticate who they are, he or she cannot open the document. Microsoft’s rights management service has been integrated with Microsoft Office 365, the company’s cloud platform that incorporates desktop Office software and server software, such as Exchange and SharePoint.
Adobe Systems also has moved enterprise rights management into the cloud. No stranger to document security, the company offers rights management to organizations on premises or through a partnership with Amazon Elastic Compute Cloud. ERM can also be offered as a managed service, said John Landwehr, senior director of enterprise security solutions at Adobe.
Adobe supports a range of technologies to secure documents and help users authenticate electronic communications, such as Federal Information Processing Standard-certified encryption, digital signatures, certified documents, public key infrastructure and smart cards.
For example, the Government Printing Office publishes documents as certified PDFs. A blue ribbon shows up across the top of the document stating that the document has been certified by the Superintendent of Documents, so people know it comes from the government and has not been altered.
If the document is altered, the blue ribbon changes to red, Landwehr said.
Adobe ERM provides a layer of protection that is different from how encryption is traditionally implemented, he said. Content is typically put in an encrypted envelope, and the recipient of the document uses a decrypt key to open the envelope. The contents are then in plain text, open for any to see or pass on.
With ERM that uses internal document encryption, there aren’t any unprotected copies. The encryption is inside the file format. Just like a certifying signature, security sticks to the document, Landwehr noted.
Adobe ERM can be deployed three different ways: on premises at an agency or organization; in the cloud, while everything else is on premises; or via rights management and a data storage portal that can be in separate clouds.
David Fletcher, CTO of Utah, which is poised to offer IT services via the cloud to local municipalities throughout the state, said organizations “need to have a data classification system in place that enables them to support role-based authentication.”
“With that in place, we can impose whatever level of security is necessary, regardless of whether the data is stored in the cloud or not,” he said.
“Many cloud technologies are still relatively new and emerging,” Fletcher said. “We are still in the process of updating our overall authentication and security model as it applies to cloud, but there are many promising technologies that we are looking at as we update our standards.”