This chapter explores how organizations can seek to secure a public cloud environment for use in big data operations. It begins by describing the challenges that cloud customers face when moving to the cloud, and proposes that these challenges can be summarized as a loss of control and visibility into the systems and controls around data. The chapter identifies thirteen areas where visibility and control can be lost, before progressing to highlight ten solutions to help regain these losses. It is proposed that planning is the most significant step a customer can take in ensuring a secure cloud for big data. Good planning will enable customers to know their data and pursue a risk-based approach to cloud security. The chapter provides insight into future research directions, highlighting research areas which hold the potential to further empower cloud customers in the medium to long term.
TopIntroduction
Cloud has become the ideal platform for big data (Hashem, Yaqoob, Anuar, Mokhtar, Gani, & Khan, 2015): a seemingly limitless pool of computing resources which can be rapidly provisioned and scaled up or down as needed on a pay per use basis. Whilst being ideal for big data activities, the use of cloud presents new security challenges that do not exist when using an on-premise solution or private data centre (Singh, Jeong, & Park, 2016).
Many of these new challenges emerge from the fact that the customer relinquishes control over the infrastructure, processes and handling of data when moving to cloud (Behl, 2011). They instead place trust into the cloud provider that their data will be secure and that the service will be available for use when required. We propose that this trust is often given based upon the assurances from the cloud provider, contractual agreements and upon their reputation.
The aim of the chapter is to provide practical managerial guidance in deploying big data operations securely. The chapter begins by providing a review of areas where big data customers face security risks when moving to a public cloud environment. Following this, a survey of solutions which can address these risks is provided. Where appropriate, we provide links to ongoing research efforts which seek to improve and enhance big data security in the cloud and finish with a discussion on future research directions.
Background
The National Institute of Standards and Technology (NIST) defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources” (Mell & Grance, 2011). It is a technology which fits many big data use cases well, removing upfront investment in hardware whilst providing agility, scalability and reliability in a pay-as-you-go context. As individuals and organisations continue to see the benefits of cloud for big data and other computing activities, it is an industry which continues to grow year on year. Evidencing the popularity of cloud, Gartner has predicted that the worldwide public cloud services market will grow 17.3 percent to total $206.2 billion in 2019 (Gartner Research, 2018).
Despite the benefits of cloud, organisations can be hesitant in their adoption for a number of reasons. Firstly, cyberspace is becoming an increasingly hostile environment. In 2015 Symantec reported that data breaches led to over half a billion personal records being lost or stolen globally (Symantec, 2016). A year later, this figure had doubled to just over one billion (Symantec, 2017). These cyber threats are not just coming from cyber criminals, but also from states and intelligence services which seek to conduct espionage (Hoboken & Rubinstein, 2014). In this hostile cyber environment, organisations are understandably cautious about sending data out of their perimeter, across the public internet to be received, stored and processed at a remote location by a third party.
These concerns are amplified due to the fact that national governments and regulators are strengthening legislation in regard to the protection of personal data. The European General Data Protection Regulation (GDPR) came into force in May 2018, with heavy fines for data controllers found to have failed in their duty to protect personal data. These penalties alone can be significant enough to threaten the financial health of an organisation, before reputational damage is even considered.
Cloud can also fundamentally change the architecture of systems and requires an understanding of new risks and controls to mitigate them (Gou, Yamaguchi, & Gupta, 2016; Singh, Jeong, & park, 2016). Without cloud expertise, the security of a deployment can be hard to assess and many customers accept that a level of control and transparency over their data will be lost in exchange for the benefits it brings (Flittner, Balaban, & Bless, 2016). This loss of control and increase in risk has been visualised by Saxena and Choudrey (2014) in Figure 1:
Figure 1.
Relationship between risk and control when moving to cloud