Cloud security: fact or fiction?
Data is moving to the clouds at high speeds across all kinds of organizations. But is the data safer than it was when these organizations kept it locked away on their own premises?
Unfortunately, cloud security is a complex — and much-discussed — subject that elicits many divergent views. The complexity arises partly because there are different types of cloud, which can carry different risks: The main ones are:
- software-as-a-service (SaaS): This includes Salesforce and Netsuite, as well as consumer services such as Facebook
- infrastructure-as-a-service (IaaS): Microsoft Azure and Amazon Web Services
- platform-as-a-service (PaaS): Google App Engine and IBM Bluemix.
Just to complicate matters even further, each of these cloud types can be hosted in a private, public or hybrid environment.
Concerns about cloud security are not new. Long before cloud computing became popular, payroll services such as ADP offered an equivalent system to their customers. It’s just that cloud computing has now become mainstream and we read about shocking data breaches. It turns out that most of these breaches did not occur in the clouds. In A quiz in Law Technology Today listed a number of attacks and asked which of them breached cloud systems and which successfully accessed on-premises systems.
- NSA Snowden leaks
- JP Morgan Chase breach
- Home Depot breach
- Jennifer Lawrence iCloud photos
- Target breach
- North Korean SONY attacks
As it turns out, the only attack on that list to hit a cloud system was the Apple iCloud hacking of Jennifer Lawrence’s pictures. And as the Law Technology article points out, “the intruders gained entry through poor user password usage, not through fancy cyber hacking or security issues with iCloud itself. The other attacks were breaches of on-premise corporate systems guarded by IT departments.”
But this doesn’t mean the cloud is fail-safe. It carries its own risks.
- Unlocked data: In the past, an internal IT department (to the extent it was competent) locked down the company’s data. But now it’s easy for employees or departments to move confidential company data to the clouds via platforms such as DropBox, Google Drive and Microsoft OneDrive. Control over access is now in the hands of employees, who could intentionally or unintentionally expose the data to unauthorized access. For example, confidential data should be encrypted but employees could store it in an unencrypted format.
- Failure to follow processes: Some service providers claim to offer cloud security but don’t provide full control, such as intruder detection. Also, if you look at the fine print in the provider’s contract, the customer is still responsible for certain areas – and might not be following the proper procedure. As a recent article by Gartner pointed out, “Through 2020, 95% of cloud security failures will be the customer’s fault.” This is no different than when the data resided on the company’s premises. But the risk is greater when the data is in the cloud because the company is more reliant on the service provider.
Companies were reluctant to put their confidential data — their crown jewels– in the clouds. But over the past few years as cloud computing has become mainstream, they have relaxed somewhat. Still, most small to medium-sized companies realize that they don’t have the expertise to manage their own data security, and that their provider will do a much better job. This is most likely true: cloud providers have had to step up their investment in cloud security because their reputation, and ultimately their business, depends on it.