Secure and Legal
by Mary Branscombe
What can you do to keep your data secure and your applications legal when you’re operating in the cloud?
HardCopy Issue: 71 | Published: May 10, 2017
The debate about whether it’s safe to put your data in the cloud is largely settled. The North Bridge Future of Cloud Survey 2016 shows that over 90 percent of companies are using cloud services in production, and half of the companies surveyed believe the cloud is more secure than their own infrastructure.
Cloud services like Azure have advantages of physical and procedural security that are hard for most businesses to match. The small number of staff and guards who can enter the highly automated, unmarked facilities in remote locations, chosen for the combination of high bandwidth and cheap sources of renewable energy, undergo background checks and have to pass through biometric security and physical security checks to get in to the data centre. And when they do, both they and the teams who run the cloud services from the Microsoft offices have far less access to data and workloads than the administrators of the average company.
All the servers are encrypted by BitLocker; hardware that’s been used for ‘high business impact’ workloads never leave the data centre; and hard drives go through a shredder that reduces them to small pellets of metal. Backup generators and automatic failover to other hardware or even another data centre protect from threats like data loss and down time – and even with the occasional human error, availability beats what most businesses could manage themselves.
It’s a long way from many commercial data centres, let alone a server under the desk or in the cupboard in a branch office. “You have to protect your data, but that doesn’t mean it has to be sitting on your own server in your own data centre,” points out Rik Hepworth, IT Director at Microsoft partner Black Marble which works with highly regulated customers like healthcare providers, local government and police forces: “Can you honestly say your data centre is more secure than the data centres in Azure? If I can drive a JCB through your wall, I’ve got your servers – and that’s easier to organise than you might think.”
Where is your data?
But the security that the cloud offers still leaves you with a lot of responsibilities. For those highly regulated customers, the thorny issue that remains is data residency; where in the physical world that data is allowed to reside – and what networks does the data transit when it’s being consumed by a service?
Black Marble builds tuServ, a mobile app on phones and tablets for police officers that replaces their paper notebook as a way of gathering evidence. Although it can run on the police force’s own servers, some forces are running it in Azure to reduce hardware and management costs; to get cheaper storage for the audio and video and photos an increasing number of officers are recording on their devices; and to get security and resiliency. “Hosting in Azure takes advantage of Microsoft’s expertise in defending against intrusion,” explains Hepworth.
But it’s the new UK Azure region that’s made that possible. “Microsoft removed a big barrier by opening the UK data centres; so we can do geo-replication for absolute resilience between UK South and UK West. Up until that point, we did have some serious issues to think about and a lot of forces were saying they were not comfortable using the cloud. That wasn’t because of an issue with the security standards of Azure, but rather whether the legislation they have to follow made it clear whether they were allowed to use an Azure data centre located in Europe. Microsoft do make commitments about how they manage data and how it will transit; they’re not going to just suck data into the US.”
Even the Ministry of Defence uses Microsoft’s UK data centre, both for Office 365 and Azure services, and Microsoft recently introduced Azure Blueprint, a service to help UK public sector organisations move workloads into Azure in a compliant fashion. For its consumer email service, Outlook, Microsoft has even gone to court to defend users’ rights not to have their data leave the region without a legal process.
However, although most Azure services are available worldwide, not all services are in every region yet – and the same is true of Azure Stack, Microsoft’s on-premise cloud system, which is best thought of as its own Azure region. Azure Backup is available in the UK region, as is the Key Vault service for managing your own encryption keys, however HDInsight is not. Hepworth is enthusiastic about the Application Insights service: “It’s a really powerful telemetry tool where you can get lots of information about your app to help fix faults and monitor performance.” But because the service doesn’t yet run in the UK region, telemetry data would have to leave the UK to be stored in Europe, so they’re not yet using the service.
Similarly, Bing Translate would be an ideal tool for translating witness statements into the native language of the witness so they can read them over before they sign – something no police force could develop for itself. Black Marble was able to create a proof of concept in a day and police forces like the way it could lower the communications barrier with witnesses, but they’re not comfortable with those witness statements being sent to US data centres and back. They also want the ability to mark their data so it’s not used to train the service, just as emails and documents stored in Office 365 remain private to your tenant.
The issues are similar for European countries. Although many organisations in the EU are comfortable with data centres located elsewhere within the EU, Microsoft has opened a German Azure region directly run by a German company so that it can comply with German government requirements for managing data. Azure China is run by a Chinese company. But there are many regions in the world that do not have their own Azure service, particularly in the developing world. If you’re in Namibia, for example, then your closest Azure region is in India, while New Zealand has to use Azure services based in Australia or Singapore. Microsoft has even experimented with underwater servers which could put processing and storage next to undersea data cables, and possibly in international waters.
EU Data Protection Regulations
Coming in May 2018, the General Data Protection Regulation (GDPR) puts the onus on businesses to understand and mitigate the risks of storing people’s data. New requirements include greater data access and deletion rules, risk assessment procedures, a Data Protection Officer role for many organisations and a notification process for data breaches. Although GDPR is an EU regulation it will still be relevant post-Brexit to any organisation that offers goods and services to EU residents. Fail to meet it and you could be fined €200 million or 4 percent of your worldwide turnover.
Can cloud services help you reach GDPR compliance? Yes, but simply using a GDPR-compliant service like Azure or Amazon Web Services (AWS) doesn’t automatically protect the apps you build.
The Investigatory Powers Act 2016 requires all communications providers to retain a record of the services to which devices have connected and, when issued with a retention notice, communications data, for a maximum period of 12 months. This information must be made available to law enforcement agencies and other public bodies, without the need for a warrant.
However the wording of the bill is sufficiently vague for the Home Secretary to say that some of its provisions require extensive testing and so won’t be in place for some time, after consultation with industry. That means there’s no immediate impact on businesses, and whether you store customer interactions in the cloud or on your own servers isn’t relevant to the Act.
When you’re using ‘the cloud’ it’s important to remember that you’re not just using one thing, or even the same thing everywhere. Where possible, you need to think beyond data residency to data protection. “I shouldn’t care where the data centres are if I’ve made sure that data goes in and out securely, so it can’t be tapped and it can’t be monitored,” points out Hepworth. “It becomes more about how you develop apps. You have to think about security from the get go; you have to be very careful to think about potential threats, and very aware of how desirable the information your app is using and storing might be to somebody else. It comes down to how you build your app and how you deal with security as you communicate between the different layers of the app.”
Over time, he predicts, “we’ll start to focus more not on where we put the data but on how we put the data there: how do we encrypt it, how do we manage who can touch – and these are things we should be dealing with already.”
Dealing with data securely can actually be easier in a cloud model. “The cloud opens up lots of different ways that we might manage our information lifecycles that people haven’t caught up with yet because they’re still thinking about tangibles.” For example, if a customer no longer wants you to run a service for them then you can simply sign the subscription over to them, which makes them responsible for overseeing the secure deletion of their data.
Azure has another advantage here because it’s part of a continuum from on-premise Azure Stack, through hosted private cloud to public cloud. “As a developer, we can code using the same approach and standards and technologies, and we can deploy that on a customer network, but if they want to deploy to Azure we don’t have to rewrite the app,” Hepworth points out. That consistency means you can move more out to the cloud as any remaining compliance, security or data residency issues are addressed in the future, and it is easier today to segment your apps so that you divide data and processing between private and public cloud, so simplifying these security decisions.
What data do you have?
Before you can think about the security of your data in the cloud, you have to think about the nature of your data. If you’re in healthcare, government or the financial sector, you’re going to be well aware of the regulations your business is governed by, and the data you hold. That’s not always true of other businesses.
Azure services for enhancing security
Azure provides many services that can help you secure your applications. Azure Active Directory, for example, isn’t just for managing users: the commercial tiers support multi-factor authentication and let you view security reports that analyse suspicious logins. Azure Active Directory Identity Protection uses machine learning to suggest updates to your Azure AD configuration and conditional access policies, while Azure Security Center shows you the security state of all your Azure resources, and can make recommendations for improving your security settings. If your application is available to consumers or other businesses, then use Azure AD B2C and B2B for secure identity and access management.
Azure API Management is a gateway that lets you publish APIs that your apps can consume securely, while Azure App Service gives you secure data storage, user authentication and push notification for mobile apps. Log Analytics analyses logs from all your workloads in real time, while Operations Management Suite gives you threat detection across Azure, AWS and on-premise systems.
Then there’s ExpressRoute which allows you to set up a private connection to the cloud instead of using a public internet connection. If you are using the internet then you can configure network security groups and make use of user-defined routing, IP forwarding, forced tunnelling and endpoint ACLs. You can also set up the Web Application Firewall to protect your web apps from cross-site scripting and SQL injection.
Azure Storage is already encrypted, and you can encrypt data in Azure File Storage at no extra charge with the new Storage Service Encryption service. You can also encrypt your virtual machine disks using Azure Disk Encryption. Azure Key Vault lets you store secrets like the service keys used by apps, and control the cryptographic keys used to encrypt your data on Azure.
If you’re using SQL Server 2016, the ‘always encrypted’ option encrypts data as it’s entered on the client and preserves that encryption on Azure so your apps can search and filter data without needing to decrypt it in transit. There’s also the data masking options to help you avoid using production data for development and test. Azure SQL Database Threat Detection uses machine learning to detect suspicious database activity in your Azure SQL Database, and if you want to host a MongoDB database online securely, then you can use DocumentDB as the data store.
Azure Rights Management Service (RMS) lets you set policies for any file type that limit who can view, edit, or copy the file, and you can use it with Azure Information Protection to classify and label sensitive data. Then there’s the forthcoming Office 365 Advanced Data Governance service to help you identify important data and reduce data retention issues by removing redundant and obsolete data.
Giving evidence to the House of Lords Home Affairs Committee recently, Stewart Room, Head of Legal Data Protection and Cyber-Security at PwC, pointed out that companies who are concerned about the impact of the upcoming General Data Protection Regulation (GDPR) are likely to already be breaking the UK’s Data Protection Act by retaining too much data: “Many organisations are retaining electronic data that may already not be lawful, in a technical sense. The GDPR is forcing them to focus on the subject afresh and they discover a data lake that has to be drained. The principles and rights of GDPR, the requirements like privacy by design and privacy impact assessments; those things are needed and they’re just being codified because a lot of organisations have misunderstood this.”
As Hepworth points out, when you put that kind of information in the cloud, you need to be clear about what role you and the cloud provider play. “If I provide a CRM system that manages your customer information, whose responsibility lies where? You’ve put your customer information into my system and it’s all about working out where those lines of responsibility lie and making sure we can’t access customer data even if we want to.”
Cloud providers will show you a list of the standards and directives they’re compliant with, but that doesn’t mean your work is done, he warns: “One of the rookie mistakes that organisations make is to think ‘we moved our services into Azure and Microsoft says Azure is compliant with these frameworks, so anything we do in Azure is compliant’. And that’s just not true! What Microsoft is saying is ‘we manage our systems in a very safe and secure way and providing you adhere to these guidelines in your own practices, you can build compliant systems’. You could build a PCI-compliant solution in Azure, for example, but you could also build one that’s not PCI compliant. Just because Azure is secure doesn’t mean your solution is.”
Azure gives you a solid foundation, but you need to build your app on top of that with features that make it secure and compliant, and treat your data responsibly to avoid creating a honeypot. A key step in that is categorising your data: “One of the big failings with most organisations going to the cloud is that they move a pile of unsorted stuff from one place to another and they don’t know what the information is,” warns Hepworth. That’s where GPDR is going to bite the unwary. “If you’re being tasked with securely managing information about me as a customer, how can you do that without knowing what the information is, to assign the lifecycle correctly? Organisations that don’t have an existing canonical definition of data and how it needs to be managed face a big hurdle.”
Encrypt the data you store, limit who has access to it, and don’t keep it longer than you need. If you’re storing ‘big data’ to analyse later, use anonymisation and data masking techniques to reduce the risk. Unless there’s a regulation that dictates that you have to retain data – such as the Investigatory Powers Act 2016 mandating what information ISPs must store about customers – then minimising, categorising and classifying the data you store is the best way to avoid creating a honeypot in the cloud. Secure as it may be, the cloud can’t do all the data security work for you.