BYOS means bring your own security

By Bill Hackenberger , written on September 9, 2013

From The News Desk

Do you worry about your personal information or sensitive data being compromised by hackers? If so, you are not alone. With all this chatter about NSA surveillance and cybercriminals hacking baby monitors (cars, toilets and everything else connected to the Internet), cloud security is a hot topic, and for good reason. By 2016, the public cloud sector could reach $19.5 billion, despite concerns about security and government surveillance.

The benefits of the cloud are manifold. From convenience to cost savings, the virtual environment offers a solution that makes a lot of sense for most organizations. However, the aforementioned buzz around cyber hacks and surveillance has caused a red flag for some in the security department. Public cloud service providers (CSPs) like Amazon and Google are constantly addressing these concerns and working to make improvements. What most cloud users may not realize is the ability to bring your own security (BYOS), which provides that extra layer of safety that helps all of us sleep better at night.

Think of BYOS -- implemented with encryption -- like carpooling. The one with the key is in the driver’s seat. They not only decide who has access to the inside of the car, but maintains complete control of where the car is going and how it safely gets to its destination. Encryption is the process of scrambling data so the only person/people who can decode and view the information are those who have passwords, known as keys. When users bring their own security to the cloud, it allows them to encrypt data before it leaves their control, all the while maintaining authorization of the keys and dictating who has access.

You may have heard that Google Cloud Storage recently announced that for no extra charge it would automatically encrypt data stored in their cloud. This added benefit is a big advancement for the public cloud, not only from a security standpoint, but because competitors will surely follow its lead and adopt similar standards.

Although this may ease some safety concerns, it still begs the question: Will CSPs still be in control of my keys and my privacy? Yes, unless you BYOS.

Following the news about the PRISM and NSA programs, data owners quickly realized that their CSPs are not wholly dedicated to their privacy. When the CSPs control the keys, they can be handed over to the government with just cause, exposing the data you think is safely protected in the cloud. Although CSPs will do what they can to avoid this from happening, it’s no guarantee, unless you, the user, maintain authorization of the keys.

I could go on about adding an extra layer of safety with BYOS and the importance of keeping control of your keys. Besides the obvious protection of data from surveillance and possible exposure of sensitive and important data, there are plenty of benefits for organizations looking to take advantage of all the cloud offers.

  • Regulatory compliance. For organizations in the healthcare industry that need to comply with HIPAA or retail companies that have to adhere to PCI, having an extra layer of encryption and control over the keys is vital. If a public CSP becomes the victim of a data breach, another level of security can help reduce the chance of having to make costly notifications, updates or even fines.
  • Maintain administration access. Remember the carpool analogy and how being in the drivers seat allows you to ultimately decide who should have access? That applies here. By being able to hold and monitor the keys, the organization has more control over exactly who has access. Plus, if copies of the data are made, which is sometimes necessary to prevent data loss, then the organization still has a significant amount of control over any duplicates.
  • Moving from one CSP to another is more secure. There are a lot of reasons why your company might want to change from one CSP to another: cost efficiency, higher reliability, faster performance, better service level agreements, etc. As is the case when you cancel any service, you expect that your information will be properly erased from the system. This is not the how it works with CSPs. Why? Because the old provider has many copies of your files in their backup system, which are replicated and hosted in multiple storage devices. The only way to continuously protect your data, long after you’ve left, is by performing your own encryption and holding the keys.
  • Protect against hacker attacks. A public CSP is a hacker’s playground because of the breadth of data stored in one place. If a cybercriminal is able to bypass the cloud provider’s security, then BYOS adds another layer of protection.
  • Reduce chances of human error. Though IT professionals run CSPs, everyone makes mistakes. Earlier this year Amazon experienced this first-hand when a simple error exposed 126 billion files on its S3 cloud. If an organization has encrypted their data in the public cloud, it would still be protected even if it were exposed.
When listing the benefits of BYOS the only remaining question is why not? It seems obvious that cloud users should take advantage of extra protection.

Analysts have predicted that the cloud computing industry will grow by billions of dollars in a matter of a few years, which makes it seem inevitable that your organization will be making a move to the cloud. When this happens, be sure to negotiate with cloud providers, ask the right questions and discuss security options.

Like Google, other cloud providers will have pre-installed security, but it is up to the data owners to determine whether the extent of this protection is enough.

If not, BYOS.