Friday, October 9, 2015

Cloud Data Security and Encryption

Secret decoder ring

Last week I saw an article about Microsoft’s new secure cloud network connection tool for government called ExpressRoute.  So that got me thinking...


First off, one simply has to either believe in encryption or not?  If you don't then no amount of argument can convince you into trusting cloud services.  But of course most of you buy things on the Internet. So...

 I am on the side of believing that encryption works.  As information security guru Bruce Schneier writes:
“Encryption works best if it’s ubiquitous and automatic. The two forms of encryption you use most often – https URLs on your browser, and the handset-to-tower link for your cell phone calls – work so well because you don't even know they're there. 
Encryption should be enabled for everything by default, not a feature you turn on only if you're doing something you consider worth protecting. 
This is important. If we only use encryption when we’re working with important data, then encryption signals that data's importance. If only dissidents use encryption in a country, that country's authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. No one can distinguish simple chatting from deeply private conversation. The government can't tell the dissidents from the rest of the population. Every time you use encryption, you're protecting someone who needs to use it to stay alive.”
And Edward Snowden, the source of much security anxiety spoke in a 2014 article:
“… professionals were failing in their obligations to their clients, sources, patients and parishioners in what he described as a new and challenging world. 
"What last year's revelations showed us was irrefutable evidence that unencrypted communications on the internet are no longer safe. Any communications should be encrypted by default,"" 
I have been working with the Amazon Web Services (AWS) cloud recently.  I learned that everything in that environment is encrypted and that security is taken very seriously.  First off, they have an impressive multi-factor authentication (MFA) that has me using the “Google Authenticator” app on my iPhone.  The app displays a code (example in picture) that I enter after connecting with my username and password.   It is easy and effective.  There are apps for Android, Windows Phone, and Blackberry as well.  And Amazon provides additional identity management services as part of AWS described here.

All connections with AWS are encrypted via HTTPS.  And the application programs and files I place there are encrypted as well.  Thus it is no wonder Netflix, Expedia, Adobe, Airbnb, Comcast, Dow Jones, and even Major League Baseball use the service.  AWS governmental users include the State of Arizona, University of California, Berkeley, and the City of Ashville, North Carolina.

AWS certainly makes it easy to live in a digitally encrypted world by having their system be ubiquitous and automatic as Mr. Schneier suggests.  But what about courts that have laws or rules that require that their records must reside in their city, county, or state?  I looked at several of these statutes and the more widely used requirement is that the information must be accessible from the jurisdiction.

Be that as it may, from what I can tell a method for handling this requirement with a cloud system is to use the normal database backup capabilities (full and incremental) and simply copy the files down to a local server.  Now this gives one yet another copy as well as the the ability to restore the data to the cloud system and the option to move the system to another service if needed.

For additional protection one would also want to take advantage of setting up backups on AWS itself. If you are interested in this subject, there is an in-depth discussion of backup strategies in this document.

Finally, regarding Microsoft ExpressRoute mentioned at the beginning of the article.  On September 29, 2015 Microsoft announced that they were making this service available to the “Azure Government” cloud platform.  Microsoft’s announcement blog post stated:
“We are also excited to announce the general availability of ExpressRoute for customers utilizing Microsoft Azure Government, a physical and network isolated instance of Microsoft Azure designed to meet the requirements of the U.S. Public Sector and operated by screened U.S. personnel. Azure Government cloud customers can now get the same ExpressRoute benefits of private network connectivity to our Azure Government data centers. 
This is a natural extension of Microsoft’s commitment to provide accessibility, reliability, and security to U.S. government agencies and the partners that serve them. For example ExpressRoute for Azure Government is already helping customers and partners like Riverside County in California as Planet Technologies is working to move Riverside’s entire datacenter to Azure Government.”
So there you go.  Both Microsoft and Amazon (and many others as well) have created solutions that meet the court’s data and security needs and therefore are certainly worth learning about.

And last for fun, check out this 1950's television commercial that shows you how to work a decoder ring.

No comments:

Post a Comment