cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Jashan
Viewer

Data security on Multi-cloud environment

What are data security and privacy concerns over Multi cloud platforms?
How cloud service providers ensures security?
Is there any need of deletion system over Multi cloud to ensure data privacy?
2 Replies
Chinatu
Newcomer II

What are data security and privacy concerns over Multi cloud platforms?
Data Security is the ultimate concern of the Cloud Service Customer(CSC) as he/she is solely responsible and liable to any case of loss or litigation. The Cloud Service Provider(CSP) is the Data Processor while the CSC is the Data Controller.
The Cloud as a multi-tenanted environment requires stringent security processes to ensure that the Customer's Data is not exposed to the threat of unauthorized Disclosures, unauthorized tampering, breaches of personal Data, Data losses and destructions. The CSC must pay attention to necessary due
diligence and due care before adopting the CSP and after subscription:
1. Confirm the Authenticity of the CSP.
2. Ensure the Contract terms and SLA are detailed enough to mitigate issues of Vendor Lock-in and Vendor Lock-out.
3. Understand the Data Privacy Regulation of both your jurisdiction and that of the Cloud hosting Location. You must pay attention to the overall Data Sovereignty- what happens and how is your data and its privacy handled from multiple juridictions and Data Privacy Regulations.
4. Confirm that the CSP has applied enough controls such as isolation, Access control and encryption that run with multi-tenants in the Cloud to mitigate the risks of Guest Escapes and Host Escapes.
5. The ISO/IEC 27018 on Cloud Data Privacy should be leveraged on to promote necessary usage Consent from the Data Subject, transparency and communications that go with deviation of consent and to promote seamless controls while using Personal Data.
5. The CSC must understand the concepts of Privacy Shield and Contractual and Contractual Clause between the EU GDPR and other member countries that would leverage on the Privacy Shield to harmonize with the EU on the application of GDPR.
6. Controls such as Encryption of Data at rest, Data in Transit and Data in use and generally the Controls that must apply in each phase of the Data Life-Cycle- Creation, Storing, Using, Sharing, Archiving and Disposing stage.
7. Controls such as TLS must apply at Data Transition Phase, Data Loss Prevention must apply at the Sharing Phase, Digital Signature and Non-Repudiation must apply at the Data Use Phase and others
Chinatu
Newcomer II

How cloud service providers ensure security?
1. Cloud Service Providers must ensure that the Security Controls are applied with high level of
design effectiveness that must reasonably assure a level of Confidentiality, Process Integrity, Availability, Privacy and Security as covered in SOC2.
2. The CSP should ensure that necessary controls such as Isolation and segregation of the tenants are applied to minimize cases of inferences.
3. The Security of the Physical Environment following the Uptime Institute and other environmental controls, the bother of the CSP.
4 The Security Assertion Mark-up Language (SAML) should be leveraged with a secured API to transfer data from one Security domain to the other Security Domain.
5. Adequate Data Encryption Technique, Data Masking, Data Rights Mgt, Data Tokenization, Data Dispersion, Automatic Expiration of Data, Continuous Audit Monitoring, Data Loss Prevention, Identity and Access Mgt and other data control techniques must be harmonized and applied accordingly.
6. Data Redundancy and Availability should be taken as a priority. Data Recovery tests and Restoration tests are paramount. Appropriate Business Continuity plan and disaster recovery plan must be put into place.
7. The Shared Responsibility concept between the CSP and the CSC in each of the Cloud Service Models is paramount. The CSP is responsible for the Security of the Infrastructures, Networks, Servers, RAM, CPU in IaaS while the CSC is responsible for the Operating System, the Runtime, Applications, Databases and Data. In a PaaS, the CSP is responsible for all the items stated in IaaS as well as the Operating System, Runtime Env. and Databases while the CSC is responsible for the Security of the Applications and Data, In SaaS, the CSP is responsible for all the items listed in both the IaaS and PaaS as well as Applications. The CSC is ultimately responsible for Data Security in each of the three Service Models while the CSP is responsible for the physical environment and the building blocks of Cloud Computing(RAM, Storage,vNetwork, Servers, CPU)..
The CSP must ensure that the CSC does not run with the Propriety Software while migrating Data into the
Cloud. The Data must be structured with a good layout.
8. The Encryption Key Mgt technique is Paramount at Application level, Database level and File System level and should be clearly understood.
9. The CSP should leverage on the CSA's Consensus Initiative Assessment Questionaire(CIAQ), Security ,Trust, Assurance and Risk Register(STAR) and Cloud Control Matrix(CCM) to assure that the Cloud hosting processes are. aligning with the regulations and required controls to qualify as a Self-Assessor, Certified Provider with Continuos Audit Monitoring of the Cloud hosting processes. Other controls such as ISO/IEC 31000 on Risk Management and ISO/IEC 27018 should be leveraged on in configuring and Managing the Cloud Personal Data Privacy.
10. The CSP should ensure that the premises have been audited through Third Party Attestations and ensure due registration and enforcement of SOC2 in the Cloud processes with SOC3 Seal of approval to attest.

Is there any need of deletion system over Multi cloud to ensure data privacy?
Yes, based on the Data Retention Policy and Expiration, the CSP should employ techniques such as Crypto-shredding or crypto-erasure on Disposing Cloud Data. Overwriting may not apply well due to the multi- tenanted nature of the Cloud and as the Cloud Data could frequently be overwritten. Deletion is the weakest technique to leverage on when Disposing Cloud Data as the Data could be easily recovered to a point in time and could hide in the memory slack space or disk. The best approach in Disposing Cloud Data and to ensure no form of Data Remanesence is with Crypto-Shredding or Crypto-erasure.

I hope the above helps both in your job as a Cloud Data Security Expert or for preparing for the CCSP exam. All the best.