Data security on the glassbeam cloud

Wednesday, May 28, 2014

You can’t stop the NSA – no matter what; but rest assured, the “Target” type of security breach resulting in the theft of credit card information has nothing to do with the cloud.

Security comes at so many levels that it is almost ridiculous to hold one party responsible. Yeah, yeah…I know what you are thinking – at the end of the day, it is the owner of the application who is to blame. It is the airline that gets blamed when a plane crashes and not the manufacturers of the thousands of parts that go into making the aircraft. And rightly so, since it is much easier to nail the final link than to search for the proverbial needle in the haystack.

Thinking of data, at a high level it has the following lifecycle:

  • It can travel through public networks
  • It travels through private networks
  • It is stored online on magnetic media (or SSD)
  • It is archived offline, and from there it may simply be deleted
  • It is processed by an application inside a private network

No one really has any control over public networks. Anyone can snoop into these networks and access your data. However, data flows through these networks in chunks i.e. TCP/IP packets.

Not only do the packets not travel in sequence, they can take different paths between source and destination. It takes a miracle for anyone snooping in on a network to string packets together and make sense out of them. But, since individual packets may be large enough to contain meaningful data, the security for this data comes from encrypting it. Therefore look for SSL, HTTPS, SFTP or SCP like mechanisms when transferring data across public networks.

Private networks, by definition, are not open to the world and are secure (apart from the NSA, of course!). Hence, there is no need to encrypt data traveling through a private network. However, they are susceptible to network hacks and penetration attacks in addition to threats to the physical security of the data center. For Glassbeam, such networks are in the data center and are hosted by the cloud infrastructure provider. Leading cloud providers like AWS are SAS-70 compliant and provide certified assurances towards network security, physical security and protection from fire, theft, power failure etc.

Stored data is inherently secure. Show me a human who can read the data off a hard disk. You need applications to read and make sense of the data stored on a disk. Which means, an application needs to be able to access the data and that’s possible only if you have the disk or your application can hack into a private network to access the disk.

So, if you can’t enter a facility to take a disk or if you application cannot hack into a network, then your data is pretty safe, right? Think again…. the final piece of the puzzle i.e. Applications.

Barring accidentally leaving a laptop at a coffee shop, or a disgruntled employee walking off with data (and taking refuge in Russia), MAJORITY of data breaches happen when your application (data center) is not secure. Network communications happen between 2 IP addresses over sockets (also called ports). As an example, HTTP communicates over port 80 etc. Firewalls manage network traffic through ports. The infrastructure does not know what ports are used by your applications, so it leaves the management of the ports to the application. Insufficiently secure ports will allows a rogue program to sneak in and get to your data – irrespective of whether you are hosted on the cloud or not. Trust me, rogue applications are hammering your firewalls incessantly looking for that insecure port to sneak in.

One more potential security concern for SaaS applications is multi-tenancy. Such applications are sharing infrastructure across customers, such as Sales Force, Glassbeam etc. Applications do have security measures in place to prevent data bleeding across customers. Glassbeam does this by hierarchical tagging, a mechanism that will not accept data without the proper tagging credentials. In fact, there are multiple levels of hierarchical tagging to ensure that this security is not breached.

In conclusion, a cloud is no less secure than your own data center – only the parties involved are more.