For a moment though, let’s say that you’ve already sold your management on the benefits of identity federation, and have deployed the infrastructure, and are rockin’ and rollin’ with SSO. It’s time to sit back and relax, comfortable in the knowledge that your users passwords are securely locked inside your directory, so you’re enterprise is “safe” right? Uhmm, maybe not. Go grab your local CISSP and ask them when the enterprise is safe, and they’ll spout a bunch of stuff about risk management, defense in depth, and mitigating controls such as firewalls, virus scanners, and yes – your identity system & passwords. If you dig in though, they often aren’t talking about protecting the “enterprise” – because that’s sort of an ambiguous amalgamation of many things – one of which is “enterprise data”.
Enter the cloud. Do you care about applications moving to the cloud? Absolutely (so does your CxO by the way)! Do you care about how users are getting to that data? Of course, as Patrick, Pamela, and others point out – it’s critical to ensure the identity of your users. But we also have to be concerned about the data that resides in the cloud, and what that means to the rest of the enterprise. Quick illustration:
Cloud Collaboration Vendor: Move your data to my service, and I’ll save you bazillions of dollars over your on-premise suite, plus I’ll give you these value added features like letting your users view their data directly through my service from anywhere (without having to download everything locally), powerful indexing, blah, blah, blah…
CIO: Ok, so let me play back to you what I heard, “I sign here, my users quit complaining about our VPN solution AND you save me bazillions of dollars” – GREAT! Go work with my team and make it so…
CCV: Ok IT guys – your CIO has signed off, now here’s the migration plan: Train your users, copy the data, and…oh yeah – we need the private key that you used to encrypt any of that data so we an index it and decrypt it for your users when they ask…
IT Guy: Como say WHAT?!? That’s the key we use to encrypt ALL of our enterprise data, not just the stuff we’re hosting with you
Does your business require data encryption for some things, like high-business-impact data? If so, how do you reconcile this with pushing the data out to a cloud service? Or do you not? How many instances of your data protection infrastructure do you have (is there more than one key?) Does your vendor support data encryption at all, and if so – do they use their keys or is there a dependency on your service? In my experience, most cloud services are loath to take too many dependencies on customer infrastructure, SLA discussions become big finger-pointing exercises.
Back to data encryption though. The conversation becomes even tougher when you start to talk about the “cross-premise” scenario, which is where you maintain a set of infrastructure on-premise, and host the rest of it in the cloud. I should be able to protect my on-premise data – that a vendor should never have access to anyway – from the vendor, right? Of course I should – so I need to have data protection FOR the vendor, and data protection FROM the vendor.
In this thought exercise, there is an interesting tension about “who” are you protecting the data from. In the on-premise world, the reason you protect data is so outsiders (and even some insiders) can’t get to it. Where on the scale of trusted entities, does your vendor fall? Even if you’ve done your due diligence, and funded new Ferrari’s for an army of lawyers, what data do you give access to? Let’s assume you give your vendor access to all the data that is “relevant to their service”, so the vendor can decrypt any data which is hosted in their site. What’s the process for re-encrypting the data in the case of a breach, either of the on-premise key or of the cloud key? Often times this is a herculean task, which requires knowing/finding all of the encrypted data, and then re-encrypting it with a new key.
If you decide to cancel your contract with a vendor – is that roughly equivalent to a compromise of the key? Everyone I talk to says yes, that somebody with protected content and the ability to decrypt it, who is not authorized to do so – is a security problem. As far as I can see, this is going to need to be something that the lawyers cover, otherwise the off-boarding costs of a vendor skyrocket.
These are just a few, there are a bunch of hard questions when it comes to the cloud – which is what makes this space so much fun! – I don’t have all the answers. Here in MSIT, where we classify and encrypt A LOT of data, we’re having conversations with everyone, business owners, security folks, lawyers. I can’t say we always tread carefully, sometimes we just “go for it”, but when it comes to adopting cloud services, we’re looking hard as we’re taking the next step, and part of that is how we protect our enterprise data IN the cloud, as well as FROM the cloud.