Understanding who is responsible for an organization’s data is essential for security. Unfortunately, when data is stored in the cloud, the waters get rather muddied. Evidence of a disconnect was revealed during the NSS Labs 2017 Shared Responsibility Study, in which 46% of respondents considered the public cloud provider—and not their organization—to be responsible for the data in the event of a breach of their IaaS environment.
Why is there such a disconnect? The confusion likely stems in part from the growth in maturity of hybrid computing strategies and the rate at which these strategies are being adopted by organizations. Familiarity breeds complacency, and in this context, the more commonplace cloud-based data storage becomes, the more likely it is that a user will assume that any cloud-based storage is acceptable to use. The assumption that all cloud-based service providers are created equal is not uncommon, but it is dangerous.
Further adding to the confusion is the fact that the traditional data center perimeter is rapidly fading, which makes it difficult to determine where corporate data is located. The NSS Labs Enterprise Architecture Research Group (EARG) typically engages organizations with on-premises computing environments, geo-redundant data centers, and diverse cloud-based services (SaaS, PaaS, and IaaS). And if determining where the data is located isn’t difficult enough, the number of users involved in creating, storing, and using this data (e.g., business users, security team members, third-party contractors, cloud providers, business partners) only serves to increase the complexity in this shared responsibility model.
However, the complexity of computing environments doesn’t exempt organizations from being responsible for protecting their own data. In many instances, preventing data loss or compromise begins with something as simple as having a firm understanding of who is responsible for what. Let’s start with the who: Who are the owners and custodians of data in a cloud environment?
The Data Owner
Traditionally, the data owner is considered to be the organization that has either collected or created a data set. However, as individual workloads and data sets from varying business units are migrated to the cloud, it is the end user rather than the organization who is expected to play a critical role in securing the data. Unfortunately, cloud-based service users often operate autonomously, choosing how the cloud service will be secured (if at all) and with whom they allow access or manipulation of the data.
To solve this challenge, organizations should be aware of each user’s interaction with cloud resources. Organizations should consider either implementing new technologies or repurposing existing technologies to address to this challenge; for example, a cloud access security broker (CASB) when configured properly can provide security practitioners with insight into which cloud resources are being used and by whom. Perimeter-based identity and application-aware products, such as a next generation firewalls or a secure web gateways can be used to accomplish similar results.
Regardless of the methods used to discover this activity, organizations should ensure that users receive training on the safe handling of organizational data in the cloud. This is especially true for organizations subject to government regulatory requirements.
The Data Custodian
A data custodian is an entity that transports, modifies, or houses data on behalf of a data owner. More often than not, this is the cloud service provider (CSP). However, the role is not limited to CSPs and can often be filled by third-party organizations such as managed service providers (MSPs), managed security service providers (MSSPs), and strategic business partners.
Data custodians may not always have direct business relationships with data owners. Examples of this can be found with the adoption of cloud-based identity frameworks that allow users to grant access to sensitive corporate data through authorization rather than authentication. (I wrote a blog on this in January.) With just a couple of mouse clicks, a user can grant an entity access to the user’s cloud-based storage (and just as easily compromise the integrity of the organization’s data residing in it.)
Selecting an entity that will serve as data custodian for your organization entails more than reviewing the services you will receive after subscribing and executing the contract. Pay close attention to the security measures put in place by the data custodian, as well as its long-term viability as a business before you enter into a contractual agreement.
Why it Matters
Understanding the concepts of data ownership places an organization in a much better position to engage with service providers and provides a foundation on which to build a robust data inventory. From here, organizations can implement other practices such as the discovery, categorization, classification, and labeling of data.