Over the past two weeks, much of the cloud industry has focused on the downtime and fallout from interruption to Amazon Web Services (AWS). While much of the attention has focused on weather related issues, there are lessons for cloud security. Amazon’s thorough explanation of all the events, not only those caused by Mother Nature, highlight that it wasn’t just an electrical failure that cause outages at Pintrest, Netflix, and other clouds running on AWS. A confluence of connected events lead to service failures critical to operating AWS infrastructure and delayed the return to full service. A multi-layered infrastructure is designed to embed scalability and redundancy just like layered security is intended to provide greater threat coverage and risk mitigation. But what happens when layers of cloud security fail or experience distributed outages? Is sensitive data vulnerable during these periods? Are there implications for compliance?
There’s no doubt that layered security with authentication, authorization, monitoring, and more is important. However, the scenario where one or more layers is down, like Amazon’s non-security related disruption, is a clear reminder of why encryption is so important. Encryption secures the data itself and doesn’t stop securing data when the power is off. There’s no on/off switch. The same can’t be said for other security layers like authentication or authorization.
Forrester’s John Kindervag details many of these and more advantages of encryption in his research Killing Data including how “encryption covers a multitude of sins.” Kindervag points out that encryption uniquely and equally prevents data loss from mistakes as wells as malicious attackers. At Forrester’s Security Forum 2012 in Las Vegas, Kindervag went on to explain that “encryption is the most effective form of data loss prevention, especially for the cloud.” In the event a security layer fails, is circumvented, or becomes unavailable, encryption continues to keep data safe.
The Amazon disruption certainly won’t be the last by a major cloud service provider. Indeed, public cloud service providers like Amazon are incredibly reliable but there will still be downtime. Just like any good business continuity plan, building in security continuity with encryption is an important step. The CipherCloud Platform, starting with the CipherCloud Gateway, enables enterprises to encrypt their cloud data and retain complete control even when some security layers are unavailable.