More than half of all IT executives polled in a recent study by BT Security said they are “extremely anxious” about security in the cloud. But 79% of them are adopting cloud storage and web applications anyway. Even more interesting, 69% are using or plan to use consumer cloud services rather than enterprise services, which include more advanced security features. If we are all going to use the cloud, we need to continue to do our best to secure critical data. Here are some front line cloud computing security issues and best practice solutions that will help keep the cloud from casting a dark shadow over your data security.
1. Acknowledge Shadow IT
Almost every business division is already unofficially using a cloud service for at least some of their business activities, perhaps without even realizing the cloud security issues raised by Google Drive or Dropbox. In other cases, people simply work around IT prohibitions to gain the service and conveniences that they think they need right now.
Solution: Work with users to establish, or restate, data governance policies so that sensitive and mission critical data stays out of the public cloud. Allow personal deployment and use of the cloud only for sanctioned data types.
2. Downtime and Data Loss
If you’re in the public cloud, you relinquish all control over uptime and access. Business services will provide an SLA, but don’t assume that means anything more than financial compensation for downtime if the cloud takes a dive. Assume that there will be service outages. More troubling from the standpoint of cloud security and business continuity, however, is data loss, either due to malicious hacking, human error, or technical issues.
Solution: Develop a redundancy plan with your enterprise cloud provider to help ensure that critical data is accessible even in the dreaded smoking hole scenario. Keep an off-cloud backup of all critical data, and have the attorneys draft a service contract that expansively details financial compensation for data loss.
Managing something that’s out of your control is an absolute nightmare of cloud computing security. But we all know that we can’t outsource compliance. If your data is exposed, sold, compromised, or otherwise misused when it’s residing on someone else’s servers, the ultimate responsibility – at least from the regulatory compliance viewpoint – is yours.
Solution: Don’t trust; verify. Conduct technical audits, vulnerability scans, and penetration testing. Find out what the vendor’s reporting policy is and how they manage and remediate breeches.
4. Infrastructure as a Service
There is security in diversity. While its much easier to manage a uniformly configured ecosystem, homogenized computing environments concentrate risk. Attackers overwhelmingly tend to favor working out exploits that can be leveraged across a large pool of targets. This is not a new problem in the data security world. It’s simply an old problem that has now migrated to the cloud. But maintaining security in the cloud brings new complications into the mix: 71% of IT professionals surveyed in a recent study by Ponemon said that securing data stored on the cloud is more complicated and difficult than implementing the same measures in conventional data centers. Additionally, since you may be sharing tenancy with high-value targets, LaaS can expose you to a higher level of risk simply due to location.
Solution: In any LaaS environment, Rights Management should be exceptionally well-defined and deployed. Data retention policies should be automated, and robust multifactor authentication and authorization methods must be in place. You should have a process that enables you to test whether virtual machines have drifted from your chosen configuration. Since virtual machines are dynamic, you also need comprehensive logging and reporting to track where your data is currently living, who is accessing it and how, and for forensic analysis if there is a breach.
Ownership is another pretty big cloud security issues on the list. A number of cloud vendors include a clause in their contracts stating that all stored data is theirs, not yours. That means they don’t need to steal it in order to mine it or sell it. This is more of an issue when using consumer cloud services, but many businesses have opted to do just that (or they have employees who end up using the consumer cloud to store, share, and access business data).
Solution: Read your contract carefully, and ask questions about terms that may indicate whether your cloud provider can utilize your data. Don’t be mollified by verbal claims that your data will only be accessed to provide sharing services and suchlike. Get all explanations, restrictions, and other details in writing.
6. Service Hijacking
If a malicious attacker can access your credentials, he or she can access and alter confidential data. Additionally, the attacker can use information about business activities and transactions to impact competitive leads and/or further compromise the company and its customers’ information.
Solution: Block all sharing of account credentials between users and services and use two-factor authentication whenever possible.
The above cloud security issues should be incorporated into a holistic data protection plan. Address them in accordance with the vulnerabilities in your company’s unique risk profile, rather than tackling them piecemeal based on what seems most alarming (or interesting). Overall, the most important moves you can make to secure data in the cloud are centered on setting service provisioning guidelines, developing comprehensive data governance and compliance policies, user education, auditing, and enforcement.