Date: Issue 71 - November 2016
The speed, agility, convenience and flexibility required in the business world turn virtualization technologies into an important component of institutional IT strategy.
Virtualization causes new security issues if the required controls are not implemented. The security measures to be implemented for physical servers are settled now; in addition to physical security measures such as protected data centers and locked cabinets, through tools such as firewalls, attack detection, anti-virus, encrypting, access controls, surveillance and monitoring the sensitive data over these servers could be taken under protection as well. However, such measures fail to provide the expected results for virtual workloads. Moreover, when virtual workloads are transferred outside the institution through Cloud Computing such as IaaS (Infrastructure As a Service) and SaaS (Software As a Service), they get in contact with more systems, administrators servers and storage units, compared with the physical servers.
Therefore, the adoption of security measures prior to the utilization of cloud computing emerges as an important requirement. According to surveys, especially data security is repeatedly being defined as the greatest obstacle in front of cloud computing transformation by Ctech administrators. Currently, while selecting cloud service suppliers, institutions are looking mostly for an assurance regarding data security. At this point, even if cloud service suppliers claim that they supported data security through certain tools, they especially make sure that the liabilities concerning data remain on the side of the customer within the scope of the contracts. In such structures encryption technologies emerge as the single solution.
“Encryption technologies enable data confidentiality without compromising the flexibility and agility required by institutions”
When speaking of encryption, various comments are made particularly by individuals who are not competent in the subject. Encryption is perceived as a type of black magic used generally by military units or intelligence services and regarded as abbreviations composed of three letters. Commercial tools such as SSL allowed this perception to change to an extent, but the most important component cause of such a perception is the result of insufficient implementations conducted in the past, rather than the technology itself. In reality, when configured and applied properly, encryption does not cause any disruption in the workflow and on the contrary, it allows the institutions’ maintenance of data confidentiality without compromising the flexibility and agility that they require. Besides, the sectoral regulations and standards with which institutions are obliged to align either entail the utilization of encryption technologies or strongly recommend them.
Data Independence – Portable Data functioning with Virtual Machines
One of the strongest features of virtualization is its capacity to transfer virtual machines to the most convenient space for getting the highest efficiency from system sources. In addition to virtual disc files attached to them, virtual machines are composed of instantaneous files, suspension files, memory files and other files required by the hypervisor to run the virtual machine. These attached files contain sensitive data that could be found anytime in the system memory and needs to be protected and a conscious user would not want to leave the tracks of his sensitive data behind. As the traditional encryption applications could not function with virtual machine and protect the data under the attached files, more dynamic encryption methods with situational awareness have to be used in the cloud environment.
Besides, there are certain points to take into account when backing up virtual machines. To use backups derived from physical machines, creating the same conditions such as the proper versions of hardware, operation system and software is required. On the other hand, as virtual machines already contain all the conditions within the backup as an independent existence, they could be operated easily within a hypervisor years after. The encryption method used in this case should not cause any leaks both during backing up and when the data is being reloaded.
For instance, say you locked and left your most precious treasure in a bank’s safe, would you leave the key to the bank? Okay, so would you want the cloud service supplier to have the key, when you store your encrypted data in the cloud? Cloud service suppliers create multiple copies of the systems in order to sustain uninterrupted service. How could you be sure that your sensitive data is not left within the copies when you wish to change your service supplier or shut down your virtual machine? As long as you have the key, shutting down your machine, transferring it to a new service provider and deleting this key as soon as you repeat the encryption with another key would be sufficient for making the data left behind unreadable. No matter how the service providers are developing various methods, the traceability of the machines and applications of your institutional network is decreasing. You can only be sure of the security of your systems, which you could not monitor in detail through the encryption method of which, only you, hold the key.
“Do not suffer due to the security gaps of your cloud neighbor”
The most important factor enabling flexibility and reducing the costs in virtualization is source sharing, in other words multithreading. Virtual machines and applications of different units or different institutions can be running over the same physical system. It is possible to fall into the same physical system with your rival, in the cloud environment. On the other hand, you would not wish to suffer because of the gaps in the application of your neighbor too. The virtual machines and data need to be separated cryptographically for these types of situations. This separation could merely be achieved through an encryption method that has a management system aligning with a multithreading structure and could function dependent from the service provider.
Legal regulations concerning data confidentiality have recently entered into force in our country, as it has as well world-wide. According to the Law on the Protection of Personal Data, the Data Supervisor is responsible for providing the security of the data of the institution and those failing to fulfil their responsibilities regarding data security will be subject to administrative fines ranging from15.000 Turkish Liras to 1.000.000 Turkish Liras. Here, the point to be taken into consideration is that the total fine will be calculated by multiplying the number of violated personal data with the amount. The popularity of virtualization infrastructures and cloud computing transformation cause the existence of numerous personal data over virtual machines as well. The best measure to adopt is the encryption of virtual machines in order to avoid data violation and the fines borne due these violations.
Storing Files in the Cloud
Another way of storing data in the cloud are cloud storing and synchronization services that are becoming more popular each day. Most of these highly user-friendly services are provided free of charge and the storage areas offered are increasing every day. These services which you could use for storing your personal files, photos, videos and music are utilized by the business world at the same time. The attraction of these services increases as stored data is easily accessed from all spots with internet access and as they allow sharing. Yet, this convenience also constitutes an advantage for the ill wishing persons and creates great security risks for data stored in the cloud storing services. These risks appear in three forms; the service provider may become a target, the person using the service may become a target or the data that needs to be kept confidential may become available to everyone over the Internet as a result of misstructuring.
Users should take these risks into account and adopt various measures when transferring their data to cloud storing services. Encryption technology will be your biggest assistant at this point. The point to be taken into consideration here is that the selected encryption technology should not affect the advantages provided by the cloud and certain capacities special to cloud storing services. Synchronization is at the top of this list. Synchronization allows access to files placed in the cloud from every platform in the same way. Your encrypted files that you transferred to the cloud from your personal computer should also be safely accessed through your smart devices. All cloud storage services have a special desktop/smart device application and these applications have various user-friendly functions. The encryption technology you utilize should be consistent with these applications, in other words it should not cause any change in your usage habits. Moreover, they should allow access over web interface of services without using the application.
Another utilization advantage of cloud storing services is file sharing. Users wish that the files they share to be merely accessible by the persons they selected. If file sharing is conducted for business purposes, then various institutional policies would be included into the process. In that case, the encryption technology to be used should be able to support the group sharing and hierarchic authorizations as well.
Storing the keys utilized in encryption with data in the cloud would not be a solution. In all personal, group or institutional scenarios, the most important security criteria is to not keep the keys used in any place apart from user devices, in other words it is preventing them from abandoning these devices. It is possible to achieve this through the utilization of Public Key Infrastructure (PKI). When files are encrypted with single use secondary keys enabled by PKI, and when these secondary keys are distributed in a secure manner, the highest level of protection would be achieved.