Risks And Recommendations For Storing Data In The Cloud
September 30, 2016
The cloud, defined
The term “cloud” means many things to many people. To most, it generally means data & programs stored remotely but accessed locally, however, the technical definition that most businesses use is:
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.1
The convenience of cloud storage also brings a host of security risks.
Choose your cloud provider carefully and analyze all security risks before storing any data on the cloud.
The defining characteristic of the cloud is that applications, platform, and/or infrastructure are provided as a service and the data associated with these services is most often stored with the cloud provider, not at the customer’s premises.
This raises any number of legal, data security and application availability concerns that must be addressed by the business in conjunction with the cloud provider before a contract is executed. Ultimately, it is up to the business to understand what the cloud provider can and will do to protect their data and information as well as ensure that any applications or infrastructure is available to use when the customer needs it.
4 key security considerations
The key security objective of any cloud provider must be to ensure the confidentiality, integrity, and availability of information resources and application availability. In practical terms, this means the cloud provider must have in place physical and virtual protections such that information and data is protected from unauthorized access, use, disclosure, disruption, modification or destruction to help ensure integrity, confidentiality and availability.
Some of the most fundamental cloud security concerns:
Although considered by many experts as just as (or more) secure than most business-owned data centers, a cloud technology environment is nonetheless extremely complex, resulting in a large “attack surface.” Cloud services themselves may also be relying on services from other third-party providers so it is important to understand how the cloud service you will be buying is actually put together.
Shared or “Multi-tenant” Environments
Public cloud services in particular rely on something called multi-tenancy where numerous clients’ data and applications run on the same infrastructure. This means, the potential exists for an attacker to pose as a consumer in order to exploit this vulnerability from inside the cloud environment.
Services are web-based
Although cloud services generally employ strong encryption technologies like virtual private networks (VPNs) to connect clients to their data and applications, they’re still generally delivered over the public internet—potentially exposing your data and applications to cybercriminals as well as causing problems with availability due to network issues beyond the cloud provider’s control. This also makes them susceptible to denial-of-service attacks.
Loss of control/accountability
Security and privacy concerns in cloud technology are amplified by the loss of control of applications and data and, therefore, the potential for mismanagement of those assets. This means the business is wholly dependent on the cloud provider to carry out activities that span the responsibilities of both parties, such as continuous monitoring, incident response and compliance with data protection laws and regulations that govern data privacy.
Because of the potential for data loss and application downtime that could materially affect a business’s operations, profits and reputation, information security clauses must be included in cloud-computing contracts. Businesses also need to pay particular attention to rights and obligations relating to notifications of breaches in data security and data privacy, data storage locations, data transfers, creation of derivative works, change of ownership or control and access to data by law enforcement entities – especially if they work with highly regulated industries like healthcare.
The importance of due diligence
Because of the many inherent security issues, the onus is on your business to follow a thorough due-diligence process prior to engaging with a cloud provider. This includes:
- Confirming the cloud provider has a history of sound work practices and ethical behavior
- Identifying potential risks or circumstances associated with the cloud provider that may impact your business’ operations
- Identifying elements of the service that need to be clarified, and that need to be included in contracts or service agreements
Due diligence is more than just reviewing the cloud provider’s marketing material or relying on their claims of secure operations. The business must be sufficiently assured that they are engaging with a cloud provider that can meet their security and operational needs before undertaking any such engagements.