The guide to cloud storage security for public sector

Cloud storage solutions can provide public sector organisations with a high degree of flexibility when it comes to their storage needs, either public cloud based, or in their own private clouds. In our previous blog post we looked at the economic differences between these two approaches.

In this blog we will explore some of the security best practices when using cloud storage, so that you can ensure that sensitive data remains securely stored and compliance objectives are met. The points we cover will be relevant to both on-premise storage and storage solutions in a public cloud.

Risks associated with storing data

In the public sector, is it very common to handle sensitive datasets, such as Personally Identifiable Information (PII) about citizens, medical information, or digital evidence for crime investigation purposes.

It is important to ensure that these data sets are only ever accessible to users with the correct permissions, and whenever transferred, that this is done across a network that cannot be eavesdropped upon. Similarly, whenever stored “at rest” the data should also be encrypted in case hardware is lost or stolen. Furthermore, being able to create point in time snapshots of datasets can ensure that even accidental changes do not cause destruction of important data.

Cloud storage best practices

Access control mechanisms exist in most IT systems, and storage is no different. On premise cloud storage solutions like Ceph, and public cloud storage systems like S3 can integrate with organisation wide authorisation systems like LDAP. This allows an organisation to centrally control access to storage resources and easily add or remove permissions when needed.

When using storage resources over external network connections, it is imperative to ensure that those communications are secure and that there is no possibility of a third party being able to intercept any information that has been transmitted. That goes for internal communications too: it is possible that a malicious actor could gain access to an internal network that previously may have been considered secure, so ensuring internal communication is always encrypted is paramount. Cloud storage systems are able to enforce the use of encrypted communications and reject insecure connections.

Sometimes it is necessary to prove that a dataset has not changed since it was stored, for example, digital evidence used in a criminal trial will need to be accompanied with guarantees that there has been no tampering. Cloud storage systems use solutions like snapshots of either a block volume or filesystem. Another solution they offer is versioning of objects to ensure that the original data can always be recalled. This kind of solution can also be useful as a defence mechanism against ransomware attacks, allowing an organisation to roll back to a known good state.

Once data has reached a storage system, there is another aspect to consider: what happens if the hardware used in that system is lost, recycled or stolen? Imagine a disk fails and needs to be sent back for warranty purposes – what if the data stored on it could be read? Could that lead to a breach of data security? Most modern storage systems allow for data to be encrypted before it is written to disk, so that data cannot be read by unauthorised parties.

Learn more

Both on-premise storage solutions (like Ceph) and public clouds have features that reduce the chances of unauthorised access or changes to the sensitive data stored in them. 

But which option is right for your organisation? Our recent whitepaper shows that there are significant savings by using an on-premise or cloud-adjacent approach that still provides the same high availability and performance that can be found in a public cloud. Find out more below:

Additional resources

• What is Ceph?
• Webinar : AI storage with Ceph
• Webinar : Reduce cloud storage costs with Ceph
• Managed Ceph