Some First Steps for the Cloud…
There has been a great response to the questions about the cloud (thanks!) – including an article series here on the site from Craig Mullins – make sure you keep an eye out. I put together some basics to help get you started in working with your cloud providers. I hope this at least gives you some talking points, some planning points for working with your systems.
First, how is your information protected from other accounts serviced by the provider? For example, with this latest breach, I don’t know the overall configuration, but you could imagine the names in a common database, selectable by certain keys. (It may or may not have been this way – this is just an example). IF that’s the case or if your information is to be stored on a system common to others, what are the "walls" between the information stores? It’s not a good idea to have them stored together, particularly in a common database (in our overly-simple example). It gives a potential hacker too much access. Get in to one, get in to all.
Learn about the protections, learn about the separation of data and information from others.
Second, what data protection options are available. Sure, the provider encrypts the overall system, but do you have options to further protect your specific data using keys known only to you? If so, this gives you the option to protect that data distinctly apart from protections given by the provider. There are serious hurdles here, including performance, integration with systems used by the provider that may not support this type of decryption and so-on. It’s worth understanding though.
So, first, protect from other accounts.
Second, protect your data if it IS accessed.
More to come, but this will start some interesting discussions I think.
What do you think? Let me know…