Our data’s going into the cloud; what could possibly go wrong?

Nov. 22, 2019
As it turns out, plenty

A lot of organizations have their heads in the cloud these days. Their attraction to cloud-based technology is understandable.  For one thing, the amenities available on these powerful, remote server farms include on-demand self-service, broad network access, software as a service, and much, much more – essentially, all of the industry’s most sought-after digital formats and tools.  Beyond that, they can be harnessed for business use almost immediately.

Internet-enabled clouds, platforms, and services are available from such well-known technology giants as IBM, Google, Amazon, SAP, and Oracle, as well as from other, less familiar vendors.  All of them provide levels of IT service significantly greater than most old-school, on-premises data centers could ever hope to offer.  For example, users’ capital costs are lower and better matched to actual consumption; no hardware or software installations are required.  And cloud-based IT infrastructure provides customers with rapid access to computing power whenever it’s needed.

Clouded Myths

However, as more businesses explore cloud options for their applications, it’s critical for them to align their specific needs with the appropriate cloud vendor’s service.  That must happen early in their transition because misaligning them, or underestimating the risks associated with transferring data to the cloud, can spell trouble.

Perhaps the most significant misconception is that cloud services are protected 24/7 by armies of security experts, making them virtually bullet-proof.  That vision of an invincible fortress, safeguarding client data against all adversaries, is comforting…but it’s also misguided.

Cloud service use carries its own set of risks, some of which are unique to the cloud provider’s operating environment, as well as others associated with traditional data centers.  Clients who fail to recognize those risks or accept their own responsibility for mitigating them are almost as likely to experience data loss and compromise as they were before migrating into the cloud.  Understanding and managing these shared risks is key to the successful use of a cloud service.  It starts with a recognition that the cloud is not a monolithic concept; clouds vary both in who can use them and what they do.

Cloud Formations

For one thing, there are different computing cloud configurations.  They include private clouds, which are hosted internally and used by a single, typically very large organization; public clouds, which are commercial ventures available to the general public; community clouds that are only accessible to specific groups of users; and hybrid clouds that include elements of two or more such arrangements.  Every cloud platform and service is owned and operated by a different company.  Accordingly, each has its proprietary policies, prices, and resources.

These companies also offer different types of computing services.  Infrastructure as a Service, or IaaS, controls user access to computing resources – servers, storage, network, and so on – which are owned by the client.  Platform as a Service, or PaaS, controls user access to the operating software and services needed to develop new applications.  The third and most popular cloud product is Software as a Service, or SaaS, which gives users direct access to the client’s software applications.

Dark Clouds

Once client organizations migrate to the cloud, they lose a considerable amount of visibility and control over both their assets and operations.  Monitoring and analysis of information about the company’s applications, services, data, and users never lose importance, but it must take a different form than it did when the client’s own network monitoring and logging procedures were in place.  For example:

  • Transit trouble.  Before a client’s data gets to the cloud, it travels across the internet.  Unless the user’s network and internet channel are secured using strong authentication and data encryption standards, information in transit is susceptible to exposure.
  • Nosy neighbors.  Vulnerabilities in shared servers and system software used by public clouds to keep the data of multiple tenants separate can be exploited, enabling an attacker to access one organization’s data via a separate organization and/or user.
  • Dubious deletions.  Permanently removing sensitive data that a client wants securely deleted is difficult to confirm because of the reduced visibility inherent in cloud operations, which frequently include data distributed over an assortment of storage devices.  Any residual data can become available to attackers.
  • Cloud collapse.  If a cloud service provider goes out of business or fails to meet your business and/or security needs, transferring data from that operator to another can be more costly in terms of time, effort, and money than it was to initially become a subscriber. Additionally, each provider’s non-standard and proprietary tools can complicate data transfer.
  • Confounding complexity.  Cloud operations are complicated by their technology, policies, and implementation methods.  This complexity requires the client’s IT staff to learn new ways of handling their information, because as complexity grows, so does the potential for a data breach.
  • Insidious insiders.  Insider abuse has the potential to inflict great damage to the client’s data due to the cloud’s ability to provide users with more access to more resources.  Depending on your cloud service, the forensic capabilities needed to trace and detect a malicious insider might not be available.
  • Disastrous deletions.  The loss of stored data due to accidental deletion or a physical catastrophe such as a fire or earthquake can be permanent.  A well-thought-out data recovery strategy must be in place, and the client and service provider must work together to establish a secure and effective process.
  • Authenticating access.  Managing user identities – carefully controlling users’ identity attributes and regulating their privileged access – remains as challenging a task in cloud operations as it ever was in on-premises environments. Due to the nature of cloud services, the challenge in some cases can be much greater than in on-premises environments.
  • Identity inspection.  Providing appropriate levels of secure access for different user roles, such as employees, contractors, and partners, is critical to protecting your cloud environment, making identity governance a high priority when migrating to the cloud.

Cloud computing provides a variety of valuable assets to clients.  But while childlike faith that cloud platforms and services are immune from malicious attacks might be touching, it’s simply not realistic.  Vigilance is as important as it was before migrating to the cloud, if not more so.

About the Author:

Arun Kothanath is the Chief Security Strategist at Clango, an independent cybersecurity advisory firm and provider of identity and access management solutions.