How Protected is Your Data in the Cloud and Who Has Access?
Blog / How Protected is Your Data in the Cloud and Who Has Access?
Cloud services have fast become the go-to for businesses and organisations looking to hit the ground running without having to do so much building beforehand like with their own on-premise software and platforms.
However, with data going from on-premise to the cloud service provider, it’s important for businesses to know how their data is being protected when it’s stored on a cloud server and what are the pitfalls that can threaten their assets. After all, the cost of a data breach is at an all-time high and is predicted to grow to 5 trillion dollars by 2024.
But what are the types of data protection and what are their strengths and weaknesses?
Data protection from cloud services in most cases can be broken down into two types, access control and cryptography, which each, while having their advantages and disadvantages, are both completely necessary for maintaining the security of you and your company’s data.
A security classic, access control is a form of active protection provided by operating system software. As the name suggests, it concerns managing the access rights that users have to data and resources sitting on the server.
As for access control management, usually, at the cloud consumer level, you have a master administrator who establishes access rights for users and projects of varying levels within the scope of company and company projects.
There are a few ways you can manipulate and establish access controls for objects and assets in your system, including:
- Using classic access control list, where you can apply identifiable resources and instances of resources in your collection of things in the cloud system.
- Using access control tags, where you can define access policies with a specialised access control list, determining who has access to what resource or compartment.
One notable disadvantage of access controls is that since it’s software-based, it must be implemented and remain active for protection. If the system goes down, your data is completely exposed, which is why you need to hedge your bets with cryptography and encryption.
Broken access controls are always a number one security risk and come in top at OWASP. In fact, most businesses suffer breaches in the cloud due to insufficiently-implemented access controls on their part.
Cryptography is the other main type of protection that is used on the cloud, which is a more passive form of protection where plain text is converted into cipher text, essentially encrypting it. With cloud systems, they tend to have similar administrative controls, which may be strange to people used to more varied types of cryptography.
Typically, in order to manage cryptography on the cloud, you use a crypto, a crypto manager, which is a software process that issues crypto keys to people and projects. The keys protect resources with encryption and, in principle, grant access to authorised users. Essentially, if you want to access encrypted data information and you don’t have access to the crypto keys, you’ll be unable to readily read it because it will look like gibberish.
Keys are distributed and controlled really the same method as the access control. Sometimes it’s a completely separate system, they’re tightly integrated or it’s completely under the hood.
The advantages of cryptography and crypto keys are:
- If the device dies or the entire system shuts down, data is still protected due to it still being encrypted. Once you've changed the data from plain text to cipher text, the protection remains in place until you transform it back to plain text
- Keys are generally inaccessible when a system is down as you need to have all the key management software running to retrieve them.
Cryptographic failures currently rate as the second highest risk on OWASP, being a key player in data breaches and leaks. With 91 percent of Cloud providers not encrypting data at rest, making your data vulnerable if they're breached, it’s very important that your company ensures your data is being protected at every stage of its data lifecycle.
What are the key differences between cryptography and access control?
The biggest difference to get out the way first is that cryptography is passive protection. The data sits on the cloud server encrypted and therefore in theory only authorised users have access. Meanwhile, access control is active protection either enabling or denying users access to specific resources and data.
Other differences include how both control access and cryptography approach the granularity of resource management, file-oriented services and bucket-orientated services.
Granularity of resource management.
Granularity can be broken down into two types:
- Coarse-grained system, where you have a basket full of resources. In this system, you can control who has access to the basket and the types of access they have.
- Fine-grained system, where you can look inside the basket and control access to the individual objects. You can have different layers of fine-grain depending on how deep into the objects you want to go and allow, and tagging can help greatly with this.
When it comes to assessing the granularity of access control and cryptography, you're essentially determining the largest resource control in terms of the hierarchy of resources, with the uber resource having sub resources inside it.
With crypto keys, it’s about determining the largest resource you can encrypt as a thing and the smallest.
Like with access control, file systems are often incredibly flexible.
- You can control it at the user, project and group level.
- You can control volumes and individual files.
- You can control access to folders and directories.
- By controlling individual directories, you control how far users can go down in the hierarchy.
Essentially, you have a lot of control to exercise.
Meanwhile, with encryption, it’s a bit of a different picture in relation to file oriented services. While you can encrypt the entire volume, your home directory or go down and encrypt a file, the file system process in every case will still just encrypt one file individually at a time. This means that there won’t be an entire, impenetrable, encrypted clump of disk with the files behind it.
While some particular vendors may have other ways of organising their system to possibly encrypt ‘per level’ on a file system, the vast, vast majority of times this isn’t the case.
Generally, access control at the macro level is whether users have access to the whole bucket or not. Broken down further, levels of user-access to the whole bucket include things like whether the user has read-and-write powers, or are they limited to read-only access or no access at all.
Moreover, there’s the individually identified objects within the bucket, each of which commonly can have individual access controls relating to it.
Encryption isn’t too dissimilar to this. You can either encrypt the whole bucket or individual identified objects in the bucket. If you're encrypting the entire bucket, your cloud services provider tends to handle that automatically majority of the time by putting in bucketed encryption by default, meaning that if the system or a hard drive ever goes down, the data remains protected by encryption.
Misconfigurations with cloud storage buckets like Amazon S3 led to a massive data breach at Reindeer, a defunct marketing company, of customer data in early August.
Securiwiser is a cybersecurity threat detection monitoring tool which evaluates your company’s cybersecurity posture, flagging up vulnerabilities and suspicious activity in real-time and presenting them in an easy-to-read dashboard.
Securiwiser checks the security of your network and cloud, if there are misconfigurations with your Amazon S3 bucket, if your data has been exposed, and much, much more.
How secure is
How secure is