Is Your Data Lost Among the Clouds?

Within the cloud, I don't know where my data is and I don't care because I'm protected. The name of the game is virtualization and just like the software apps on your computer, they don't know where in the computer's memory their data is stored and they don't care as long as it works.

I hope that my data is within secure facilities, transmitted across secure networks, and stored on secured servers. But I still don't know where or how. I haven't seen the facility. I haven't seen the servers. I have yet to see a VLAN on the private networks. I don't even know their hardware disposal policies. Do they destroy hard drives with issues or simply toss them free for anyone to pick up?

So then, how do you protect your data in the cloud? Well, as with life, your data is either moving or it's sitting still. These two require two different methods of protection.

Protecting your data in-transit (moving) requires securing the communication between the endpoints. The common method that every user knows is SSL (HTTPS). This provides a secure connection between the user's browser and the web server. Within the cloud, this same process applies to communication between servers. With servers you can use SSH. With MySQL you can use SSL between the client and server, or between servers if using something like replication.

Protecting your data at rest (sitting still) requires securing the storage of the data. The storage can be on the cloud server's hard drives, remote block device (Amazon EBS), or even on a file-based storage such as Rackspace Cloud Files or Amazon S3.

For data while sitting in roughly one place and that is constantly in use like a database, the encryption needs to happen on the fly. TrueCrypt is a common method but be aware there may be a performance penalty or integration issues with virtual servers. Be sure security is a top priority to catch these potential issues early.

Protecting data that can be wrapped into a single file, such as database backups, can make use of GnuPG. This method is important for protecting your storage on object/file-based storage services like Cloud Files or S3. You can either pipe the data into GnuPG to be encrypted before being stored to a file or feed the file to GnuPG. Then store the encrypted file on your storage service free for them to replicate and transmit through their networks safely.

You'll still want make sure no sensitive data gets written to disk unencrypted because then you have to scrub the area to make sure it's gone (if you even can). Just because you deleted the file doesn't mean the data doesn't exist. Also, be careful of remote storage services like Amazon EBS. EBS is actually data that is also in transit. The virtual server storage itself may be backed by a remote SAN using an unknown network.

Vendors don't always want to give the details so who knows, but it doesn't matter all that much if you take the necessary precautions.