Transforming IT
Showing results for 
Search instead for 
Did you mean: 

In the fight to secure data in the cloud, encryption can be a double-edged sword


This article is the fifth in a blog series, in which CSA’s Jim Reavis provides his expert advice on how to avoid the dangers posed by each of the Notorious Nine threats. The previous articles in this blog series, can be found here. To follow along, search for #Notorious9 on social media.

Bio on Jim Reavis:  As the co-founder and CEO of the Cloud Security Alliance (CSA), Jim has worked in the information security industry as an entrepreneur, writer, speaker, technologist and business strategist. Jim’s innovative thinking about emerging security trends have been published and presented widely throughout the industry and have influenced many. Jim has been named as one of the Top 10 cloud computing leaders by 

By Jim Reavis:

Data is the lifeblood of a company and often a starting point for security strategies and risk-based decisions.  All of the top threats in the CSA Notorious Nine report relate in some way to data.  Compromised data is everyone’s nightmare scenario.  Data loss, in some cases can be a consequence of a data breach, where a malicious attacker compromises security controls and deletes important information, rather than – or in addition to stealing it.  We discussed data breach in full, in this previous blog post.

However, data loss can have a wide variety of root causes outside of hacker targeting.  As the report states:

“Any accidental deletion by the cloud service provider, or worse, a physical catastrophe such as a fire or earthquake, could lead to the permanent loss of customers’ data unless the provider takes adequate measures to backup data. Furthermore, the burden of avoiding data loss does not fall solely on the provider’s shoulders. If a customer encrypts his or her data before uploading it to the cloud, but loses the encryption key, the data will be lost as well.”

The original report referred to a fascinating incident in 2012, where Wired writer Mat Honan was targeted by hackers, who compromised his cloud-based accounts and erased all of his personal data.  More recently, Sony was targeted in a highly sophisticated 2014 attack that both exposed and destroyed information throughout the organization. 

The most infamous malicious data loss technique is called ransomware.  Ransomware refers to software trojans that, when executed, encrypt or otherwise render data inaccessible.  The only way to restore access to the information is to pay a ransom to the attacker, often through an anonymous digital currency such as Bitcoin.  This has become such a serious problem due to malware sophistication. In a recent survey conducted by our team here at CSA, nearly 25% of respondents stated that they would pay the ransom to restore access to their data.

Adding to the risk of malware and hacking, there are also still cases of data loss attributed to mistakes made by cloud providers.  For example, providers can go out of business or simply not have the appropriate security controls and redundant systems required to secure your data.  More often, however, the fault for data loss rests with the end-user, or at the very least is contributed to by the end-user such as in the case of poor coordination and communication between the cloud customer and the cloud provider.

Stopping Data Loss: Back to the Data Security Lifecycle

In the face of all of this risk, what is an organization using cloud to do to prevent data loss?

As in the case of the threat of data breach, breaking down the issue using the CSA six phase data security lifecycle is extremely useful in planning your approach to protect against data loss. From creation to destruction, your understanding of how access control is managed for each phase is important.  Obviously, malware detection and mitigation has an important role to play, as well.  Once again, a layered model of overlapping security defenses is considered to be the best practice.

Data Lifecycle.png

Figure 1- CSA Data Security Lifecycle

In the data breach blog, we discussed how encryption is an important and resilient security control.  In data loss, encryption is a double-edged sword, as ransomware uses encryption to potentially destroy data.  Probably more common, however, are user-inflicted encryption errors.  One such error, is the loss of encryption keys. Many organizations simply do not understand how important encryption keys are, and as a result they do not make copies of keys and may not even know where they are stored.  Losing encryption keys is the same as deleting the information yourself.  Key management is critical.  Make sure that your team maintains multiple copies of keys in well protected systems. 

To sum it up: Encryption is one of the most resilient security controls invented, and it is important to use it pervasively, but also to implement and manage it correctly.

How do you evaluate your provider on their secure data handling? To a large degree, assuring the appropriate data protection practices are in place throughout the data security lifecycle is a function of conducting the appropriate due diligence of the cloud provider, as well as of your own business usage of cloud.  The CSA recommends using our Consensus Assessment Initiative Questionnaire (CAIQ), a comprehensive and free compendium of questions you ask the cloud provider to make sure they have the appropriate security controls.  CAIQ has several questions specific to protection against data loss.  When you review the questions, you may find that some answers should be provided by your own organization as opposed to the provider. Remember, that security is always a shared responsibility.

In Summary

Data loss is a critical threat that IT professionals must cope with in cloud computing and ranks as second most prevalent in the CSA Notorious Nine.  From malicious destruction to cloud provider failures, from end-user errors to inadequate policies and procedures, a broad set of root causes can result in catastrophic data loss.  Understanding responsibilities as a cloud customer is foremost, as this is the most likely point of failure.  A layered defense model combined with extensive cloud provider due diligence is your best approach to reducing this threat in the cloud.

Get Some Help to Beef Up Your Approach to Cloud Security

HPE’s Cloud Computing Security Knowledge (CCSK) courses were developed in partnership with CSA. These courses are designed to provide you with the knowledge that you need, to avoid security risks in the cloud and implement best practice approaches – such as to avoid data loss.



About the Author


25+ years in high tech in various roles that include Consulting, Channel Mgmt, Product Mgmt and Marketing. Technology areas include storage and data management, high availability, cloud and hosting, networking, and mobility/wearable technology for enterprise, SMB , and channel business. Industries include healthcare, financial services, ISVs, Service Providers and telecos.