Are your customers requesting that their data be stored in one or many clouds? You’re not alone. With the new push to all things digital and needing to support an enterprise that is mostly WFH, it’s no surprise that our world is increasingly cloud-centric and sometimes agnostic. Everyone’s keeping data on the cloud – but keeping that data safe is not as easy as it appears. MSSP’s have an opportunity to provide best practices in supporting their customers cloud migration as well as operational efficiency and increased control of managing their customers’ data. In this article, we’ll break down the five challenges your enterprise customers must consider when migrating sensitive data to a cloud service provider (CSP).
Challenge 1: Visibility and Control
CSPs not only store and manage data for enterprises; they become responsible for enforcing policy, visibility, accessibility, and governance over that data. This means that CSPs – not the MSSP or enterprise that selected them – are entrusted to ensure that your enterprise employees know where the cryptographic keys securing their data are being stored, how they’re used, and when they’re being used. CSPs may not have the same standards for those policies as an enterprise may hold internally. In practice, enterprises lose time in assembling the data points and more importantly the audit trail. Why? Because in most cases they don’t have the full logs to access critical information. Add to this, the fact that each cloud is traditionally its own silo -- with its own format, usernames, and other hard-to-correlate input data – and understanding where the data sits can easily become a cloud-shift nightmare.
Another consideration and sometimes overlooked issue that can arise with visibility and control in the cloud is data deletion. Often, the client has lost sufficient visibility to confirm whether their data was deleted, in practice, by the CSP. CSPs spread their data across multiple devices, and deletion practices and protocols vary between providers.
Control of who accesses what keys – and where they’re stored – may prove elusive, even within the organization itself. CSPs provide a self-service type model for applications – some of which may not be standard or supported by an organization’s IT department. In other words, employees using a CSP for one application – which is approved by the IT department – also has access to other applications which may not have undergone an internal IT review, i.e., “Shadow IT.” With one unauthorized access, an unwitting employee may be putting sensitive data at risk – and the IT department might not even know about it.
Challenge 2: Flexibility
Vendor lock-in presents a significant challenge for enterprises using multiple clouds. Each CSP encrypts data using their own specific encryption keys – and it’s a problem for organizations looking to move from one CSP to another. Data can be transferred; encryption keys cannot. This leaves organizations with the difficult and time-consuming task of decrypting the data from the first CSP, moving it to the new CSP as plaintext, and then encrypting again with the second CSP’s encryption scheme, a procedure that is cumbersome on a large scale and prone to a potential data theft in the process. Moreover, the unique features offered by each CSP – which require customization – cannot be transfigured when being transferred to a new CSP.
In other words, if your organization suddenly needs features from, for example, Azure that are not available on AWS – you’re stuck.
Challenge 3: Efficiency
Forget moving data from one CSP to another; using data on multiple clouds can be an operational nightmare. CSPs’ vendor lock-in prevents interoperability between clouds.
Another operational hurdle exists specifically for the organization’s IT team. Each CSP maintains its own set of technical requirements, regulations, admin permissions, and more; each CSP is its own IT ecosystem. If your enterprise keeps keys on 2, 3, 4, or more clouds – chances are the IT department is already feeling the strain.
Challenge 4: CLOUD Act
Organizations outsourcing data storage to CSPs also have little control over whether their data will be accessed by law enforcement agencies.
The Clarifying Lawful Overseas Use of Data (CLOUD) act, enacted in March 2018, increased the risks for organizations storing data on the cloud. According to CLOUD act, any organization worldwide storing information on a cloud server by a US-based company can be subpoenaed and / or warranted by the US government for information on their sensitive data stored on that cloud.
When encryption sits with the CSP, this puts that information that much closer to the public. While subpoenas may be justified in some cases, CLOUD act creates a possibility for a company to be subpoenaed without their knowledge – in the event the party filing the complaint files directly with the CSP without warning the end customer. 29,443 requests for information were submitted to Microsoft, Amazon, and Google in the first half of 2020 alone.
Challenge 5: Security
IT teams are at risk of inefficient due diligence when migrating data to the Cloud, including not understanding the security provided by the CSP vs. security expected to be provided by the enterprise, and not understanding the risks of cloud migration.
It’s important for MSSPs to remind their enterprise customers that most cloud computing infrastructures do not provide security against untrusted cloud operators, and to consider whether to store sensitive data (e.g., financial and healthcare records) on such a system without additional security measures in place.
Guidance for MSSPs: Unbound Security addresses all the above challenges and is revolutionizing the way that organizations manage and protect their cryptographic infrastructure in any cloud scenario. Click here to learn more.
“Requests for User Information.” Google Transparency Report, Google, 2021, transparencyreport.google.com/user-data/overview?user_requests_report_period=authority%3AUS. Number cited here is only for user information requests regarding Enterprise Cloud customers.