Companies that struggle to maintain their IT infrastructure often look to cloud computing to provide a significant cost savings. However, you must look into the clouds and understand what risks are swirling around when it comes to storing your data.
In a recent survey by CIO Research, respondents rated their greatest concerns about cloud adoption. Security was their top concern, with loss of control over data number two:
- Security 45%
- Loss of control over data 26%
- Integrations with existing systems 26%
- Availability concerns 25%
- Performance issues 24%
- IT governance issues 19%
- Regulatory/compliance concerns 19%
- Dissatisfaction with vendor 12%
- Ability to bring systems back in 11%
- Lack of customization opportunities 11%
- Measuring ROI 11%
- Not sure 7%
Is there security in the cloud?
Security is often an afterthought for cloud service providers. It isn’t built into their applications and is often added as a plug-in. What’s more, if a cloud storage system crashes, millions and millions pieces of information can be lost, often in spite of backup procedures. In contrast, when we are in the thick client world, the information that is lost can be more easily tracked by the number of PCs or notebooks affected or stolen.
How different should security be in the cloud world?
Business technologies may change, but security fundamentals and lessons learned are still applicable. Some areas to consider for the cloud:
Physical security is a must for any strong security program. The data centre should have a high level of physical security. If sensitive data is being stored, consider deploying biometrics, surveillance camera monitored by professionals, and very stringent policies for physical access to the system.
Authentication is crucial, whether cloud or corporate individual network authentication will remain the same. Given the processing power of the cloud, you may choose to implement two-factor authentication, one-time passwords or other authentication tools. In spite of a highly secured processing environment, a weak password has the potential to ruin other safeguards. Maintaining password standards is a must.
Access rights are critical for all the objects inside the cloud. This part of the security will not change in the user’s point of view. There are some levels of changes required to manage multiple corporate accesses inside the single cloud service provider’s organization.
Strong firewalls are another integral part of today’s security. Even in the cloud, the same rule applies: cloud clients should secure their own networks. The only advantage is they have less information to be secured within their network. The cloud service provider should secure their network with firewalls.
Data integrity is one of the key aspects in security. Today for example, it’s hard for every notebook to implement a cryptographic checksum or hash. But in cloud service this could become commonplace.
Security threats in the cloud
Security threats can come in all forms; let’s consider some of them here. In the cloud-based service, the provider decides where your data is stored and how your data is accessed. If your provider offers virtual boxes, a mischievous user can gain control over a virtual box, attack your data and exploit it. Another security threat in cloud computing is the attack on the perimeter of the cloud. This may be a simple ping sweep to DoS. A cloud service provider must ensure the data of each company is properly isolated and partitioned, if not, data leakage can be expected.
Another important factor that has to be addressed in the cloud world is the privileges of the power user. How do we handle the administrators and data access? The administrator’s rights are not part of the customer anymore; it is part of the cloud service provider. There should be clear transparency and access records to prevent any misuse by an administrator.
Implementing security in the cloud environment is different than what we are used to in a traditional environment. However, remembering the fundamentals of information risk management and lessons learned along with an understanding of cloud provider risks, may help you to weather the storms looming in a dark Cloud.
Why should the cloud customer implement security?
Though the cloud promises high security, it’s essential for the cloud customer to implement their own security and maintain standards. An unsecured customer network will attract hackers and is an easy entrance to the cloud.
Data transfer between the cloud service provider and customer should be on a secured connection and the customer should take necessary steps to secure his network from attacks such as the Man in the Middle (MITM).
The applications hosted on the customer network should also be secured. Customers using the cloud to deploy applications should ensure that their software is secured. Unsecured applications can be dangerous for both the cloud service provider and customer.
Cloud security can help a little if there is a vulnerable system unmaintained or not patched.
Virus attacks are not going to change in-spite of moving your data into the cloud.
How can you do business securely over the cloud?
Before you decide to buy a cloud service, go security shopping. We always bargain based on price, but that is not enough here. You need to bargain for security rights, transparency and privacy.
The legal agreement is the first level of security that you will always require, no matter where you do business. A well prepared agreement can provide all the legal benefits over your data in the cloud. Make sure to include the ownership of the following:
- Data
- Data backups
- Log files
Your day-to-day business runs with the help of data. It’s essential that the cloud service provider shows transparency in his data centre location, physical security, containment measures, and time taken to recover in case of any catastrophe.
End-to-end encryption is must in cloud computing to ensure the security of data transfer. The customer should require this capability from the provider.
Authentication and proper access rights must also be secured. Given that you can access the applications in cloud from anywhere, it’s essential to block the entire user account for former employees. This has to be an integral part of the customer’s HR policies.
Patch management is also very important. Though cloud acts like a versionless world, it is essential that the service provider either informs you about the patches required to access his network or provide automatic patch management. If you use third party clients to access the customer application, you should ensure that these clients are up-to-date with security-related patches.
You should also require log analysis reports, user accounts and privileges reports, uptime/downtime reports, and penetration test/vulnerability assessment reports from the service provider on a regular basis. To ensure more transparency, require that these reports be provided by a third party security company. You should also demand real time security alerts from the service provider.
The last level of security that is often exploited is the application security. How secure is the cloud service provider’s application? There is no real way of knowing it. There are third party security companies and tools available to certify application security. This should be done on a routine rather than a one-off basis.
Social engineering is another threat that has to be addressed. It is essential for the cloud service provider and customer to be aware of such threats and educate their employees.
Phishing attack will also target the cloud consumers. Strong phishing filters should be deployed.
You will also want to involve third party security companies as partners to verify the cloud service provider’s security policies and verify his reports.
Summary
Security should be built as an integral part of the cloud. This is a must for the cloud service provider to gain trust from their customers. Gaining customer trust is the key to winning the cloud service game. Security is an ongoing measure to protect and deal with everyday threats. No matter where you do business you should secure yourself with the best practices.
