As we evolve more and more to complete self-contained services like the mainstream Cloud services of Microsoft, Amazon, IBM and Google, I often express concerns about the Cyber aspects being coupled. Enterprises and users are, if they haven’t already, getting more and more comfortable with giving up their physical/virtual servers, applications and storage but are not, and should not, be comfortable giving up control of their sensitive data. The shared responsibility models of Cloud Services Providers (CSPs) delineates between the physical aspects (network, disks, memory, etc.) and the responsibility of what resides in the storage and computer.
Earlier this month, WinMagic announced the general availability of the new security software solution that provides full enterprise controlled key management and encryption for virtual works load running in public and private IaaS environments, SecureDoc CloudVM.
Arguably the world’s largest and most important Cybersecurity show is just around the corner. With over 30,000 attendees and over 500 highly specialized security specific exhibitors, it is the show which the industry benchmarks itself.
First, an explanation on the concepts in the title of this piece. Data Sovereignty is the concept that digital data and information is subject to the laws of the country in which it is located and/or created. Safe Harbor is an agreement between the USA and EU that regulated and control import, export and processing of personal data and information. And the most recent, EU General Data Protection Regulation (GDPR) is the regulation of “processing’, ownership, rights and storage of personal data and information within the 28 member EU states.
It’s all about the data. I have been involved in cloud computing since 1999 (although we called it multi-tenant hosting & ASP – application service provider) and for sixteen years security has consistently been the #1 concern when organizations are asked about their adoption of cloud models. The concern does not reside with the use of a storage array they have no access to or the utilization of a virtual machine cluster in some unknown data center, it’s all about the data and sensitive information.
Last week at Black Hat in Las Vegas, IT security firm Imperva discussed a “man-in-the-middle” attack that affects certain enterprise file-sync-and-share (EFSS) services, allowing hackers access to files transferred into the cloud. This is a very relevant and interesting vector of attack for EFSS services.