"Data Protection Standards" + background photo of modern cable-stayed bridge tower from worm's eye view

Supply Chain Security for the Cloud: Data Protection Standards

Cloud computing has been around long enough and has become so pervasive that anyone reading this post likely falls into one of two camps. Either your company is reliant on cloud computing (whether they are aware of it or not) or you are reading this in some distant future where cloud computing has somehow become passé (maybe it just rebranded itself?). Either way, I have a question for you:

Whose job is it to ensure privacy and security in the cloud?

I have worked in computing long enough to know the official answer to that question is “all of ours;” vendors and consumers must work together to protect what is most valuable: data. I have also worked long enough to know that when companies in my supply chain say something is a “shared responsibility,” it doesn’t mean I get to shirk my own responsibility.

I am responsible for ensuring the safety and proper use of my data. It is the responsibility of cloud security providers (CSPs) to enable me to do so. Unfortunately, most CSPs make this harder than it needs to be. While they offer layers of protection, this presents increased risk: The same company hosting my data also has access to the layers protecting it. For regulated organizations or those who deal with highly sensitive data, the CSPs rarely provide the data protection mechanisms I need to enforce my organization’s data protection policies on my terms, with full control. They don’t give me, as a customer, a way to manage levels of trust for the data they host.

Let’s not bury the lede any longer. You are reading this on a data protection company’s blog, and you might expect that I am going to claim that MachinaTM will solve all of your cloud privacy and security problems. I am not. We can be a part of a solution, but cloud providers have a responsibility to empower customers to secure their data in the way they see fit. 

This is not an abstract request. CSPs can empower consumers by supporting security and privacy standards, not as expensive add-ons or up-sells, but as standard, first-class features. My colleague Jimmy Baker has written an appeal to vendors, asking them to make good security a differentiator. It is easy to forget that the modern technology world is built upon standards, why should privacy and security be different?

Take for example a fundamental part of any cloud technology: authentication and authorization. We need to know who our users are, and we need to be sure that they have access to the resources they need. Yet, it seems like every cloud vendor has decided to completely reinvent the universe when they baked their authentication pie. There exists a solution. 

Standards such as SAML and OAuth (and the third-party vendors that leverage them to solve this problem across an organization) empower users to federate authentication and authorization decisions. We can stop wrestling with dozens of different authentication schemes and rely on companies whose mission it is to do authentication in ways that work for our companies. Supporting standards is likely more cost-effective for cloud companies; there shouldn’t be a need to charge more for the privilege of offloading authentication and authorization on us.

It is easy to see how standards empower us – the consumers of cloud technology – but supporting standards can also empower cloud computing companies. As things stand now, if I am allowing my data into the cloud, I have to assume that either the vendor or the vendor’s vendor is going to use my data as if it were their own. This makes me uneasy and, often, unwilling to adopt their technology. 

Yet if a company supports data protection standards, especially if those standards allow us to provide and hold our own encryption keys, we know that our data is being used only how we want. Encryption with key federation allows for an even stronger claim. Even when data breaches happen, protected data is not usable by hackers unless they have also compromised our keys, which is exponentially harder to do when those keys are managed outside of the system that was just compromised. These capabilities keep the cloud computing companies out of the news in connection to breaches, and these are the sort of claims that put leadership teams at ease and unlocks their purchasing power.

Our founder, Adam Ghetti, has written an excellent piece about what we learned from the identity and access management (IAM) companies as they attempted to create new standards to solve the identity management problem. We used those lessons to guide our efforts to make Machina a new standard for data protection in a market that sorely lacked one. By leveraging XACML – the fine-grained policy language standard put forward by OASIS – Machina turns complex and scattered data access rules into globally consistent and enforceable policies. By offering a flexible set of tools – from SDKs and APIs to cloud connectors and command-line interfaces – Machina empowers companies by consolidating and enforcing data access controls no matter where data resides, rests, or travels. And by backing all of this with encryption key management that allows every data element to have its own key, Machina provides customer-managed trust, essentially becoming a third party in the risk model with a CSP.

There are myriads of other examples of ways in which standards ease cloud privacy and security decisions, but here is the main point: if security is everyone’s responsibility, cloud companies can support us by supporting standards like SAML, OAuth, XACML, and Machina, and we can support them by adopting those standards. Let everyone do what they are best at: cloud customers can worry about the policies needed to make use of our data, security companies can worry about safely implementing those policies across a dispersed infrastructure, and cloud companies can provide the services that add value to our data.

Zachary Braun, senior manager of the security and network operations centers at Ionic Security, is an experienced professional with a demonstrated track record of delivering results for high-tech and services industries.