How to secure data in cloud? Stick with it like glue.

 

Connecting state and local government leaders

Data roaming the cloud has shifted the focus of security to the data itself, which must be protected wherever it goes.

As agencies move their applications to multitenant, cloud computing facilities, the layers of security that were once required to protect data in different locations and states of use have also become centered on the cloud.

The concentration of computing resources is changing the nature and methods of agency data security, experts say. In the emerging world of cloud computing, data must now be protected while at rest, in transit and even when accessed by those authorized to handle it.

In effect, security managers must now be prepared to protect data from the moment of its creation, through its move to the cloud and after it is taken into the wilderness of users.


Related coverage:

In the cloud, good policy enforcement makes good neighbors

Cloud security awaits encryption breakthroughs

Cloud security is easy if you don't want perfection

IBM rolls out cloud-based backup, recovery and archiving services


“In order to protect it adequately and ensure that data is safe, you have to follow it wherever it goes and protect it every step of the way." said Marc Olesen, senior vice president and general manager of content and cloud security at McAfee, a provider of security technology and services.

Today, protections, whether they are manually or automatically applied, can be configured to block users from printing, saving content, downloading it to a CD or thumb drive, copying or pasting it, or even forwarding e-mails to nonauthorized parties.

Failure to properly apply and enforce security permissions can expose data and files to hackers or open the door to data leakage by employees, contractors and agency collaborators — intentionally or unintentionally.

The technology to apply protections at this stage of the security chain — when users are handling the data — is sometimes called data rights management, enterprise rights management or information rights management.

Traditionally, such technology has been expensive and complex to put in place, said Mike Duffy, chief operating officer of management consultancy DRT Strategies Inc. and former Treasury Department CIO.

However, if security administrators are using strong authentication technologies and public key-based certificates in combination with a data rights management toolset, they should be able to manage access to data, Duffy said. But how well those tools work together in the cloud computing arena is a story that is still unfolding, according to experts, who say the next frontier in information security is protecting so called data in use.

“Our philosophy around that has been a follow-the-data philosophy,” Olesen said. "You do have to know where your data is and then you have to follow it,” he said.

Data rights in the cloud

As a cloud provider, RightNow Technologies tries to take an in-depth approach to security, said Ben Nelson, the firm’s chief information security officer. The company provides cloud-based customer relationship management solutions to defense and civilian agencies.

Nelson stressed the importance of providing security awareness training for cloud users and taking time to think through access control and authorization strategies upfront. After that, if data should leak into areas where it is exposed to misuse, organizations can rely on data rights management tools as a part of a total data in-use protection strategy.

As a software-as-a-service provider, RightNow develops its own rights management tools that enables it to turn over access control privileges to IT administrators at the agencies the company serves. However, many data rights management tools are focused on the enterprise and thus are not geared for cloud vendors trying to deliver enterprise services, Nelson said.

“I haven’t found one that is a good fit for a cloud vendor who is trying to turn those services back around and offer to customers,” he said. “We’ve built into our product the ability for customers to manage their own access and authorization profiles,” Nelson noted.

But perhaps things are about to change.

In April, GigaTrust, a developer of enterprise rights management software, unveiled GigaCloud, billed as the first software-as-a service ERM solution offering in the industry. GigaCloud is designed for cloud providers to help users apply and enforce security permissions. To that end, GigaTrust formed a partnership with Terremark Worldwide, a provider of IT infrastructure services, which Verizon Communications purchased in April.

GigaCloud combines the GigaTrust Enterprise Plus product suite and Microsoft Active Directory Rights Management Services (AD RMS), which provides encryption and key management with native implementations for Microsoft Outlook, Exchange, SharePoint and Office.

Traditional ERM is normally delivered as an enterprise application to authenticated users within an enterprise directory, said Harry Piccariello, GigaTrust chief marketing officer, who said a midsize ERM deployment can take six to nine months to deploy.

However, with budget and resources constraints, an ERM deployment often falls into competition with other security projects, such as full-disk encryption and data loss prevention, which have proven to delay full-scale ERM adoption. Offering ERM as a cloud-based software as a service eliminates that obstacle, Piccariello noted.

View from the network

GigaCloud extends and enhances AD RMS for the cloud by providing multitenant use and centralized content policy management. “In a perfect world, we would have end-to-end encryption” for data protection, said Susie Adams, chief technology officer at Microsoft Federal.

However, assigning data rights depends on the area of focus: Is it e-mail or data-at-rest? From an access control perspective, it is all about establishing user and data access policies. Those policies must be defined first, and then agencies need to implement some type of identity infrastructure that can uphold the policy, she noted.

“Microsoft looks at things at the network level,” Adams said, with a focus on data in transit, at rest and at the particular workload level, such as Microsoft Exchange or SharePoint.

In addition to AD RMS, Microsoft offers Active Directory Federation Services, which can be installed on Windows Server to provide single-sign-on access to systems and applications located across organizational boundaries. It incorporates a claims-based access control authorization model for application security and links a user’s identity and attributes stored across multiple identity management systems.

For instance, AD RMS can be used if someone sends an e-mail with a Word document attached that has sensitive information. The sender of the e-mail might want to send it to a group of people but wants to ensure that they do not pass it on to someone who does not have permission to view the document. The sender can go inside Microsoft Outlook Web services, create a new e-mail and set permissions that restrict use of the document and manage credentials, Adams said.  

The sender has control to give read-only privileges or allow people to forward to a particular group inside Active Directory and even encrypt the document. If the recipient of the e-mail can’t authenticate who they are, he or she cannot open the document. Microsoft’s rights management service has been integrated with Microsoft Office 365, the company’s cloud platform that incorporates desktop Office software and server software, such as Exchange and SharePoint.

Adobe's approach

Adobe Systems also has moved enterprise rights management into the cloud. No stranger to document security, the company offers rights management to organizations on premises or through a partnership with Amazon Elastic Compute Cloud. ERM can also be offered as a managed service, said John Landwehr, senior director of enterprise security solutions at Adobe.

Adobe supports a range of technologies to secure documents and help users authenticate electronic communications, such as Federal Information Processing Standard-certified encryption, digital signatures, certified documents, public key infrastructure and smart cards.

For example, the Government Printing Office publishes documents as certified PDFs. A blue ribbon shows up across the top of the document stating that the document has been certified by the Superintendent of Documents, so people know it comes from the government and has not been altered.

If the document is altered, the blue ribbon changes to red, Landwehr said.

Adobe ERM provides a layer of protection that is different from how encryption is traditionally implemented, he said. Content is typically put in an encrypted envelope, and the recipient of the document uses a decrypt key to open the envelope. The contents are then in plain text, open for any to see or pass on.

With ERM that uses internal document encryption, there aren’t any unprotected copies. The encryption is inside the file format. Just like a certifying signature, security sticks to the document, Landwehr noted.

Adobe ERM can be deployed three different ways: on premises at an agency or organization; in the cloud, while everything else is on premises; or via rights management and a data storage portal that can be in separate clouds.

David Fletcher, CTO of Utah, which is poised to offer IT services via the cloud to local municipalities throughout the state, said organizations “need to have a data classification system in place that enables them to support role-based authentication.”

“With that in place, we can impose whatever level of security is necessary, regardless of whether the data is stored in the cloud or not,” he said.

“Many cloud technologies are still relatively new and emerging,” Fletcher said. “We are still in the process of updating our overall authentication and security model as it applies to cloud, but there are many promising technologies that we are looking at as we update our standards.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.