Continuing with my article of last month, let's continue discussion Controls in Cloud Security: Continuing with my article of last month, let’s continue discussion Controls in Cloud Security: Losing one control typically mandates an increase in the other controls. Here, we have another set of problems. Let us explore the remaining controls:Confidentiality: Typically, we handle confidentiality through the usage of technologies such as Encryption and access Control. We can still encrypt, but imagine what happens to a large data set. It has to be sent, or assembled, in the Cloud, remain there in an encrypted form, and be transferred to us, for processing. Once the data is at our location, we have to decrypt it, perform the operations needed, then re-encrypt and resend to the Cloud. Doable – yes. The performance tax here is huge. While today’s routers and servers no longer have their performance brought down to 1/6th by encryption (a loss of 84%), we still pay a heavy price.Figure 4: Lifecycle of Encrypted Data SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe Let us state once more: Having the data unencrypted at any point in the storage or transfer process exposes it to unauthorized disclosure. Unauthorized exposure, of course, is the opposite of any good security or compliance requirements, such as PCI or HIPAA. Even Amazon, with inherit interest in providing such services, announced that their Cloud is not PCI compliant nor intended for such work: Hi, Thank you for contacting Amazon Web Services. Our payment system is PCI compliant and it is an “alternative payment processing service” meaning your users re-direct to our platform to conduct the payment event using their credit cards or bank accounts. The benefit for you is that we handle all the sensitive customer data so you don’t have to. If you haven’t looked at it, I highly suggest you check out the features and functions of our Flexible Payment Service and our Payment Widgets ( https://aws.amazon.com/fps). As for PCI level 2 compliance, that requires external scanning via a 3rd party, PCI-approved vendor. It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance. And you have to provide the appropriate encryption mechanisms and key management processes. If you have a data breach, you automatically need to become level 1 compliant which requires on-site auditing; that is something we cannot extend to our customers. This seems like a risk that could challenge your business; as a best practice, I recommend businesses always plan for level 1 compliance. So, from a compliance and risk management perspective, we recommend that you do not store sensitive credit card payment information in our EC2/S3 system because it is not inherently PCI level 1 compliant. It is quite feasible for you to run your entire app in our cloud but keep the credit card data stored on your own local servers which are available for auditing, scanning, and on-site review at any time. Regards, Cindy S. Amazon Web Services Figure 5: From here Figure 6: Encryption in Cloud Case Study Try the following as an example: Suppose you have a volume of credit-card bearing transactions that you must preserve for a period of one year. And let’s assume that the data is in SQL form. If so, the steps needed would include: Exporting the relevant tablesEncrypting these files with suitable encryptionUploading the encrypted files to your cloud “bucket”Storing the data in the cloud, in an encrypted formDownloading it, while encryptedDecrypting the dataImporting the data, and finallyProcessing it Come visit me at www.arielsilverstone.com! Related content brandpost Fireside Chat between Tata Communications and Tata Realty: 5 ways how Technology bridges the CX perception gap By Tata Communications Sep 24, 2023 9 mins Emerging Technology feature Mastercard preps for the post-quantum cybersecurity threat A cryptographically relevant quantum computer will put everyday online transactions at risk. Mastercard is preparing for such an eventuality — today. By Poornima Apte Sep 22, 2023 6 mins CIO 100 Quantum Computing Data and Information Security feature 9 famous analytics and AI disasters Insights from data and machine learning algorithms can be invaluable, but mistakes can cost you reputation, revenue, or even lives. These high-profile analytics and AI blunders illustrate what can go wrong. By Thor Olavsrud Sep 22, 2023 13 mins Technology Industry Generative AI Machine Learning feature Top 15 data management platforms available today Data management platforms (DMPs) help organizations collect and manage data from a wide array of sources — and are becoming increasingly important for customer-centric sales and marketing campaigns. By Peter Wayner Sep 22, 2023 10 mins Marketing Software Data Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe