Greetings from the RSA Conference! I just attended a session called: “Is the Cloud Really More Secure Than On-Premise?”. The assembled panel included Bruce Schneier, Bret Arsenault – CISO, Microsoft, and Eran Feigenbaum – Director of Security, Google Apps. The panel was interesting and lively, and there was a lot of good conversation and give and take.
There was one piece of guidance provided by the panel about which they seemed to be in violent agreement. The frequently repeated phase was “You have to own your data”.
Now where have I heard that before? Oh yes, it is our tagline and foundational principle here at Covata. Needless to say I was glad I was there to hear it. I would also tell you that there were lots of other things said that really supported the ideas that make up Covata.
For example, the need to be independent of Cloud Storage Provider and the reality that everyone in the business will not put data only in mandated cloud storage. The panel admitted that even though they represent the major vendors, that their own teams used things like Dropbox. Lesson – your data protection must be independent and ubiquitous.
They were also very much aligned on the need for encryption. The idea is obvious – theft or spillage is with data that is encrypted and therefore useless to anyone. Mr. Schneier confirmed his belief that people have not yet broken AES 256, and who am I to debate Bruce Schneier on the efficacy of cypto? Lesson – encrypt at the point of origin so the data is protected wherever it resides and secure if exfiltrated.
Third, there was much discussion about privacy (pretty par for the course at RSA 2014) and the ability of a provider to turn over your data to a third party without your knowledge or consent. Specifically, what happens when the provider is subpoenaed for data by law enforcement or government agencies, including outside of the US? The panel emphasized the need to own your keys and store them away from the cloud provider. Lesson – encryption solutions must allow your business to keep the keys on premises behind your firewall, regardless of where the data goes.
The Cloud has enormous value, and most on the panel believed that the major cloud providers can provide services that are of much higher quality than any business can produce in-house. But moving your data to the cloud does not mean you can abdicate responsibility of securing your data to the provider. You must own your data by taking control over your data and demanding visibility into who uses it, when, and how many times. You must demand the ability to have persistent controls that enable the business to adapt to changing business circumstances and security threats.
Own Your Data – I like the sound of that! Don’t just take my word for it, a panel of experts agree.