Assessing Data Risks in a Hybrid Cloud Environment
The level of risk in a hybrid cloud environment depends on the kind of data that you’re trying to secure. This data can include credit card transactions, Social Security data, and internal social network data. You need to decide what data you’re willing to put into the cloud based on the risk you’re willing to take if that data becomes compromised in some way or if you can’t access it.
Here are just a few data-related risks to think about in a hybrid cloud environment:
Commingling of data: In a hybrid cloud, there’s a good chance that your data will be commingled with another company’s data on a server. Your neighbors, therefore, matter. For example, if one neighbor is successfully attacked, the attack could affect your data availability or security. Or, if one of your co-tenants engages in malicious activity, you can be affected. Your data might become compromised.
Data deletion: If you end your contract with your service provider and ask it to delete your data, this procedure may not be done securely. That means some of your data may still be on the provider’s disks and that others can access it.
Data breaches: Hackers are very much aware of the new cloud model and the fact that data is moving through the cloud. However, depending on where your data is located, your cloud provider may not be required to alert you if its servers are breached. Breach protection laws that protect personal information vary by country and state.
Data seizure: If your data is commingled with another company’s data, and the other company’s data is seized, yours might be, too. For example, in 2009, the FBI raided two Texas data centers and seized a number of servers. Companies that had data on servers that weren’t related to the investigation were severely affected. A number went out of business because they couldn’t uphold their obligations to their customers.
Hackers and thieves are always one step ahead of the latest security measure, so data protection tools need to be used wisely to provide adequate protection. For example, situations exist where thieves have been able to steal encrypted data. In one recent case, the data was encrypted only up to the point the data was delivered to the applications. At that point, it was decrypted, and that’s when the loss occurred. This loss could’ve been prevented if the receiving application had been allowed to control the decryption process.