Data Gold: A Cloud Security Analogy


When it comes to cloud, one of the first security related questions I often get asked is regarding security of data and whether it is possible the cloud provider to access the data.  On the whole, the answer is usually “no” but I thought it helpful to introduce an analogy.


Analogy: Imagine your data as gold bars

Your data is precious. So, let’s imagine that your data is replaced with precious gold bars.

You have acquired some gold and want somewhere safe to store it.  Initially, whilst you work out a plan, you just hide them somewhere safe in the house: A sock drawer, under the mattress, a “safe place”.  Over time however, you start to worry about the what ifs:
  • What if I forget where I put it?
  • What if there is a fire?
  • What if someone accidentally throws it away?
  • What if someone finds it?
  • What if I am burgled?

Safe?

The next natural step might be to invest in a safe.  The first question though is how big a safe do you buy?  If you buy one that is too big then it will take up more space in the house than you have room for; plus a bigger safe will cost most than a smaller safe.  However, if you buy a smaller safe do you have room to potentially put other valuables in it if you decide to? Does the safe need to be fire proof? If so, what rating would be sufficient? Is it combination or key based?

In our analogy, this safe is your on-premise data security solution.

Ask yourself:
  • Did I buy the right size?
  • When I upgrade do I consolidate to something bigger or just buy another small one?
  • How do I store and manage the keys?
  • If I have a combination who do I trust with the combination and where can I safely write it down?
  • How secure really is my house overall? 
  • If someone gets inside the front door then can they have time to crack the safe without anyone outside noticing?
  • Do I have the skills and resources to manage the security properly?
  • Can I provide 24x7 assurance that my safe is....safe?

The problem is that the local option provides “good enough” security for a lot of circumstances but it can cost a significant amount of money to provide full protection.  A lot of people get lulled into a false sense of security by having assets stored locally.  However, without the relevant infrastructure, skills and security resources storing assets locally can often be the equivalent of storing cash under the mattress.


Alternatives?

So, what alternatives are there for storing your growing gold stash?

One option could be to rent a safety deposit box.  The idea being that you are renting a standard sized unit of secure storage.  As the renter, you own the keys to that box and not the bank.  In addition, that safety deposit box is stored in a secure bank vault in a secure facility with industry regulated security controls such as guards, CCTV, biometric access, etc.

That safety deposit box in our analogy is the cloud hosting option.  There are a lot of overlaps with the analogy vs real life:
  • Cloud storage is rented in fixed unit sizes and can be extended or shrunk with relatively short notice
  • Most clouds offer customer managed keys so that even if staff can access the datacentre (vault) then they cannot access the customer data (gold in a safety deposit box)
  • You are entrusting your valuables to a third party who’s sole reason for being in business is to look after other people’s stuff; they have a very strong interest in keeping your stuff safe


Bank Robbery!

Of course, it is possible to rob a bank but the occurrences are exceptionally low and arguably it is a much lower risk than keeping your assets within your own local boundaries.

So ask yourself, if you were lucky to have £10m worth of gold, would you sleep more soundly if the gold was in the wall safe in your bedroom or in your secret Swiss bank vault?

Of course, bank security is regulated and banks need to demonstrate security competency on a regular basis or risk losing their banking licence.  One final question then: should we have similar such licenses and regulation for cloud suppliers?

Comments

  1. Jon6 July 2017 at 08:04

    Not a bad analogy, but the major problem with your issue is that Gold is not unique enough to reflect the nature of people's data. If there is a robbery and you are insured, then you can get any other gold to replace it. Can you do the same with unique data, process, insights? The value of gold is a function of market demand. The value of the data on the other hand could be worthless or invaluable. Context is everything.

    Like I said, it's not a bad analogy because I do believe that as the value of the item increases, the complexity needed to manage risk does so as well, and often we're not the best people to manage. However, to ignore the difference between what is being secured does not do the topic justice.

    ReplyDelete
    Replies
    1. simon6 July 2017 at 17:42

      Hi there, thanks for the comment. I guess all analogies break down at some point. Some are better than others!

      Having insurance when it comes to gold will replace it should you be unfortunate to have it stolen. When it comes to data it depends on what sort of data loss I suppose. Theft vs irrecoverable deletion are two totally different things. In my experience, most people are worried about theft based data loss (or more accurately unauthorised access). Perhaps the “insurance” comes from independent regulation such as PCI-DSS? They won’t pay out if you lose it but they enforce a level of rigour to minimise the risk of it happening in the first place. Prevention rather than recovery!

      The point I was hopefully trying to make is that offloading your valuables to a third party that is dedicated to looking after valuables is arguably lower risk than trying to do your own local solution. Either you don’t have the business case, skills, infrastructure or prioritisation to handle it, especially when it gets to a larger scale.

      Anyway, good challenge. Thank you.

      Delete

Post a Comment