CIOs are pretty paranoid when it comes to data protection, and rightly so given they put their job on the line when they recommend a new infrastructure or service approach like cloud computing.
I’ve been told many times now by companies providing cloud computing services that their security measures are good enough if not better than the ones that their customers have in place — end-to-end encryption being the primary pitch.
But does this satisfy SOX compliance or really prevent someone, say an admin of another customer or internal-to-the-service provider, from finding a way to peek at your data?
These questions are nothing new for CIOs that have gone down the outsourcing path, but the implications of data running on a shared infrastructure do tend to make them squeamish.
Here’s a sampling of some questions Sam Gross, vice president of global IT outsourcing at Unisys, is getting since his company entered the cloud computing fray with the Unisys Secure Cloud and its Stealth data protection technology last week.
1. How can you absolutely, positively assure me that a cloud administrator [employed by you] will not in error grant some type of read or write access to the content, facility or service?
2. How can you assure me that none of your cloud administrators will have any visibility to that data and compromise our SOX controls?
3. How can you assure me that you can’t, will not and don’t have mechanisms to electronically transmit my data in the background to another third party?
Unisys Secure Cloud is backed by 800 consultants and Stealth is a technology Unisys developed for the Department of Defense based on bit-splitting technology made by Security First Corp. The technology splits data across multiple packets, across disks, multiple sectors and physical devices so that snoops can’t construct a single byte or single character of data using any single packet. On top of that, AES 256-bit encryption is used.
In answer to those three questions: No. 1, the assignment of read or write access is handled by the client through the client’s own directory and authentication mechanisms and not by Unisys.
No. 2, Gross uses the analogy of the cloud looking like nothing more than a series of pipes with water running through them when the cloud infrastructure is Stealth enabled. “The pipes have water running through them, but [people with malicious intent] can’t tell where the water came from, they don’t know where each drop of water is going and the water is transparent.” In other words it’s SOX compliant because all that is seen is a stream of ones and zeros.
No. 3, data that is in storage on the SAN is also Stealth protected so that even if you are a member of a client-defined community and transmit data, that transmitted data would be, again, a stream of unintelligible ones and zeros to the person on the receiving end.
“The end result is that if people put sniffers online, use Deep Packet Inspection mechanisms or physically remove a disk from a SAN and try to recover data, it’s impossible to assemble that data,” said Richard Marcello, president, Unisys systems and technology. “They won’t be able to recognize the payload or data construct, so therefore it’s cloaked and unrecognizable to the mechanism people use to steal data.”
Time will tell whether Stealth is truly the answer for a lot users, but you have to admit they have a much better explanation than, “Our security is good enough if not better.”
What security measures do you want to see from cloud companies? Let me know at firstname.lastname@example.org.