12

I'm doing due diligence on a company. They are entirely cloud based and need to collect lots of personal information from users (including SSN). Is this something I should be majorly concerned with? They say they are using encryption, and Azure is a secure platform. I'm unfamiliar with how securely reliable cloud storage is currently, and how complex it is to setup and maintain. If cloud storage is OK for this data with proper precautions, are there any questions I need to ask on this topic?

  • Unless the key is also uploaded to Azure, I don't see, a huge concern of its encrypted the correct way. what does the regulations for this company with regards to this type of information? – Ramhound Apr 10 '16 at 01:36
  • 2
    Before you can conclusively say that a cloud provider complies with the technical standards of "safe", you need to be aware what industry regulations and governmental regulations apply to your specific use case. For example, if you handle credit card numbers, then PCI-DSS may apply to you and you need to base your audit on those regulatory frameworks. – Lie Ryan Apr 10 '16 at 03:15

2 Answers2

19

Given the current state of public cloud, I would argue that in many cases it is in fact more secure than on-premise storage. Granted I work for Microsoft, but my opinion both pre-dates my employment, and extends to competitors like Amazon and Google as well. Companies whose business models are built on data center operational expertise and excellence, are simply always going to be better and running and protecting their assets than companies who view IT and data as simply a cost to be tightly controlled.

That said, there are definitely a couple of things that I would take a careful look at.

  • How are they encrypting the data? Encryption is easy to get wrong, and with data as structured as SSNs, and with such a small domain, getting it wrong could result in a significant breach of confidentiality.

  • How are they managing access? For this you need to look not only at who has access via the application and to the machines, but from an Azure-specific perspective, who has access to the resource groups and the subscription?

  • Key management. Azure offers HSM-based key-storage. For significantly sensitive data, you should ensure they're using an HSM-protected Key Vault.

Xander
  • 35,525
  • 27
  • 113
  • 141
  • 2
    As a PaaS/SaaS geek I endorse @Xander's statements. In fairness to your customers, also cross reference the Governmental Disclosure list for thier requests for private information. It is part of Google's transparency project, and MSFT has a similar initiative. I don't know if Amazon, Rackspace, Telerik Cloud, Salesforce or the many other less known players have the same transparency. (Dropbox, Box.com,O365, Intermedia, Proofpoint... not to omit any player, but "cloud" is so broad these days) – makerofthings7 Apr 10 '16 at 02:34
  • I would say this sweeping statement is true only for major cloud providers. There are more unknowns with smaller providers, which may not be under as much scrutiny. – Lie Ryan Apr 10 '16 at 03:09
  • One of the many things I would do when performing an architecture review of IaaS, PaaS, and SaaS providers is ask about multi-tenancy and shared environments. It also depends on company policy. A former employer went to the extreme (and, IMO, the right thing to do) of not allowing off-prem storage of PII, at least without architecture review and security testing. – h4ckNinja Apr 10 '16 at 07:40
2

To add to Xander's answer, there are a few things to consider:

  • Company policy
  • IaaS, PaaS, and SaaS multi-tenancy
  • Key management
  • Current internal security posture

Company policy

Some companies are okay with *aaS, some companies say a certain level of PII is okay to store off-prem without encryption, or require encryption for a certain level, and say above that level, no off-prem storage. If the company does not have those policies, encourage them to get those policies.

Multi-tenancy

Multi-tenancy, or hosting multiple customers in the platform or network space. This makes pivoting and sniffing of traffic easier.

Some providers will give you a dedicated instance if you are willing to pay a little (or a lot) extra.

Key management

As Xander mentioned, some providers (Amazon and Microsoft do this for sure, I don't know about Google, though I'd guess they do) offer an HSM for key management. Is the company trusting of the SEE code in the HSM? Is the company willing to give out the key to encrypting and decrypting identity significant data? Can the company control the SEE code?

Company security posture

Does this company have a mature vendor management process? Incident response process? What happens if one of these providers is breached? Does the company IR team have the ability to work with the provider? Will the provider be held to a contract to notify the company in the event of a detected breach? Will logs be forwarded to a company log monitoring solution? Is that log monitoring solution monitored and maintained? Does the company have a mature security testing and review program?

These are all questions that should be asked and answered beyond "is it safe?" because policies, security posture, and provider environment impact that "is it safe?" a lot.

h4ckNinja
  • 3,006
  • 15
  • 24