Cost and ease of use are two of the biggest benefits of the cloud, but the cloud poses certain security risks. A recent ESG survey of 211 security professionals found that most security concerns surrounding cloud computing involved lack of control of what goes on once data is in the cloud.
But the march toward the cloud continues, because of its many benefits to small and medium-sized business without the resources for on-site data centers.
If you’re shifting business processes to the cloud, you need to be satisfied that your cloud provider is trustworthy and competent, and that your data will be secure. Here are 5 of the biggest security concerns with cloud computing.
Always make sure keyholes are too small for the unaided eye to see through.
1. Data Breaches
2. Data Loss
3. The Provider’s Disaster Recovery Plan
4. Who Has Access to the Data?
5. Regulation Compliance
This is basically everyone’s worst nightmare. You may be worried about confidential company information falling into the hands of a competitor, or customer financial or personal data being accessed by hackers. The cloud introduces new attack methods, some of which we might not know exist yet. Clouds concentrate corporate data and applications, and a breach could be costly and damaging to reputation. Moreover, cloud providers routinely ensure data redundancy to prevent loss should a server die, but then again, the more copies of data, the more exposure to breaches.
While data breaches are often the result of malicious intent, data loss could be accidental. If a drive crashes without a backup existing, critical files could disappear. Or you could lose your encryption key that unlocks your valuable encrypted data. In 2011, some AWS customers lost data due to a “re-mirroring storm” that resulted from human error. The main reason data loss wasn’t more extensive was because it was Easter weekend, and corporate traffic was low. Nonetheless, so many EBS volumes were repeatedly groping for disk space on which to replicate themselves that disk operations were seriously throttled. And while accidents or non-malicious human error are bad enough, data loss can also result from intentional acts.
Swimming facilities at the office are nice, but not when they’re co-located with your server room.
Maybe you don’t know the exact physical location of the servers where your data resides, but it physically exists somewhere, and no location is safe from disaster. Before moving data to the cloud, it’s critical that you understand your provider’s disaster recovery and business continuity plan. What guarantee do they offer of continued services? How frequently is data backed up? If a server crashes and they can only sync it back to a week ago, what effect would that have on your data? Their disaster recovery plan is a part of your disaster recovery plan.
A maliciously inclined insider at your provider’s company could be a threat, and with a cloud services organization, they could do a lot of damage quickly. It’s smart to keep your encryption keys on your own premises rather than your provider’s. Depending solely on your cloud services provider for security is a big risk for a lot of reasons, including the reason of a disgruntled employee intent on causing trouble.
Looking at it from another angle, suppose you lose access to your own data because of a denial of service attack. Attackers have come up with increasingly sophisticated ways of carrying out denial of service attacks that make it harder to distinguish legitimate incoming traffic from illegitimate traffic. Ask your cloud provider what steps they take for mitigation of denial of service attacks. If service is impaired but not shut down, you could be billed for the resources consumed during such an attack.
If you operate in the United States, Canada, or the European Union, you have to abide by a number of regulations. Therefore you have to ensure that your cloud provider meets these same regulations and has undergone accreditation or certification. Also, if your organization is subject to PCI DSS, Sarbanes-Oxley, HIPAA, or other regulations, you have to ensure that cloud provider is compliant with these regulations as well. If they’re not in compliance, there’s a good chance you’re not in compliance either.
Data security in the cloud requires diligence on your part. You have to ensure that you and your cloud providers are on the same page regarding breach protection, data loss, disaster recovery, and regulations.
About Greg Ghia
Read more articles by Greg