Do You Know What Your Data is Doing When You're Not Looking?

If you haven’t taken the time yet to review the updated version of the Cloud Security Alliance’s “Security Guidance for Critical Areas of Focus in Cloud Computing V2.1” document, published in December 2009, you really should.  If you’ve not spent a lot of time reading up on Cloud Computing, this document is a great starting point, even providing some thoughts on what you need to do before you consider moving your data to the Cloud.

Not to nag (but what the heck!), if you don’t have time to read the entire document, first of all, make the time! If you’re a security practitioner, or if you’re considering moving your data to the Cloud, it’s ‘must know’ information. Worst case, at least read the introductory section called “An Editorial Note on Risk: Deciding What, When and How to Move to the Cloud”. (You can read the rest later!)  In particular, there’s a short paragraph or two that discusses the need to sketch out your data flow and understand exactly what and where your data is before you decide to send it somewhere else! It reminds me of more than one client experience I’ve had over the last so-many years, and I think this topic cries out for some serious attention!

So begins my first blog!

Understanding how and where your data spends its time is certainly not a concept unique to Cloud Computing. PCI DSS demands that you know the data flow for credit card information. HIPAA demands the same of Protected Health Information, Sox for Financial Data etc. etc. If you don’t know where your data is and where it goes when you’re not looking, how do you know what controls to use or where to put them? How do you know what risks are lurking out there ready to pounce on those little bits? What's your risk mitigation strategy? Any most importantly, why would you even think of adding to the confusion and the risk by introducing another variable in the form of a cloud?

It seems that no matter who I work with, no matter how secure they profess to be, they can never produce a data flow diagram for their most sensitive data. They know they have sensitive data (usually!) and they know it’s out there somewhere, but they can’t say exactly where!

Case in point: On our first day at a client site to conduct a risk assessment, my team and I had a kick-off meeting with employee stakeholders representing the various departments in the company. After they’d taken up three whiteboards to show us the layout of their intranet, we asked: “Can you tell us where your customers' credit card information goes after they hang up the phone or log off of your web site?"

The first person to the board picked up a red marker and confidently drew out the path that the PCI data took through their network from data entry through processing, to storage and on until it was either archived or deleted. “Ta-Da!” and he sat down. Someone else from the group spoke up: “Well, that’s not completely accurate” (I noted the quiet gasp and raised eyebrows in the room!)  This second person went to the board, took up the blue marker, added some detours to demonstrate some other places the data visited inside of the company, and returned to his seat, satisfied with the accuracy of the now colorful PCI data flow diagram. After the third and fourth and fifth people all made their own additions to the map, our kickoff meeting had turned into a heated debate on how it appeared that they had credit card information all over the place and that despite their best intentions, it was mostly unprotected! (I still get this visual of a teeny little data-looking-thingy-guy with arms and legs carrying a big suitcase with postcards all over it, but now that I look closer, I think it’s just that Hamburger Helper hand I have stuck in my mind…. anyways.....) Our employee survey revealed that almost everyone in the company of 800+ people could readily access full credit card information, whether they had the business need or not! (LOTS of raised eyebrows on that one!)

The story gets worse, but I’ll leave it to your imagination and get to the point which is: 

It's about the DATA......Silly! You can’t secure what you can’t find! You can’t say your data is secure, if you can’t say where your data is! And you can’t identify risks to something you can’t keep track of! 

This very basic concept is the foundation of Information Security whether your sensitive information is landlocked or cloud-hopping or traveling around the world in your back pocket with its friends on your thumb drive. And as the Cloud Security Alliance points out, before you can make any decisions on moving your data to the Cloud, you need to be able to identify your risks. If you can’t map your data flow today, don't even think about letting it go anywhere else until you know exactly where it is and exactly what it's been up to.

And if that 'data-as-the-Hamburger-Helper-hand-with-a-suitcase' image didn't do it for you, how about this: Data is like a rebellious teenager. If you don't keep your eye on it, it's going to end up in places you don't want it do be, doing things you don't want it to do. You need to lay down the law! Set some rules and boundaries! And whatever you do, don't even think about sending it out into the clouds until you have it under control! 

You can find the “Security Guidance for Critical Areas of Focus in Cloud Computing V2.1” document here: http://www.cloudsecurityalliance.org/csaguide.pdf