Cloud computing. Where does the responsibility for security lie?

Posted on : 31-10-2016 | By : michael.wells | In : Uncategorized

Tags: , , , , ,

1

It is rare for a firm these days, NOT to have a cloud strategy. Whether it be software as a service, a platform or infrastructure. Our clients’ views have changed radically over the last few years from a ‘no cloud’ to fully embracing on-demand computing services. One of the main previous challenges was that organisations did not feel their data was secure in the ‘cloud’, it was outside their control and so felt the likelihood of loss/breaches were heightened. Now a comment we often hear is ‘these guys can do security better than us’ they are Google with a security team of thousands!

Are companies becoming too complacent? Yes – Microsoft does have a great security model, It protects the datacentres, infrastructure and platforms extremely well. But… it does not protect your data. This is still your responsibility and we are identifying a gap between responsibilities of the cloud provider and the client.

One of the biggest cyber security risks facing business today is the loss of data and cloud services face similar challenges. A cloud environment is subject to the same risks as the traditional corporate network. In fact, cloud providers are more attractive targets for the hackers due to the vast volumes of data they hold in a sometimes all too easily accessible environment. Cloud providers do, of course, claim to offer a secure environment, and a high level of security for the aspects of the cloud service they take responsibility for. It is the customer’s responsibility to ensure that their data is protected. Business often assumes that by outsourcing their data to a third-party cloud service provider that the security has been covered, but business should never assume this to be the case.  Every business must accept that they are ultimately responsible for their date where ever it is stored.

AWS has been quoted as saying “we are not the owners or custodians of the data; we just supply the resources. We don’t control how customer data is protected, customers do”

The bottom line for any enterprise looking to move to a cloud technology model is that they must undertake extensive due diligence to understand the risks they are facing by adopting this model and how the engagement of a third-party supplier to provide this service will exacerbate the risk.  In simple terms storing data in the cloud is the same as storing your data on someone else’s computer.

So, what are the biggest threats facing cloud service users?

User Error: Cloud applications are excellent for file sharing amongst multiple users. Research shows that 23% of files in cloud apps are broadly shared and 12% of those contain sensitive information. Without adequate security controls in place which track with whom, how and when a file and content are shared users are unable to track where their data is travelling and to whom.  This makes it easier for data to be lost by accident or for hackers to intercept without being noticed.

Hackers Attack: Hackers force attacks and use malware to break into cloud application accounts. In the first 6 months of 2016, 37% of abnormal cloud application activity indicated attempts to take over cloud accounts and 63% of abnormal cloud activity indicated attempts to steal data.

There are steps business can take to increase the security of their data in the cloud:

  • Encryption and key management- Data should be encrypted when it travels back and forth over the internet and when it is hosted in the cloud provider’s environment.
  • Identity and Access Management – Cloud providers are user innovative multi factor authentication technology.
  • Monitoring and reporting – What access controls have been set on your cloud environment. Do these breach internal controls? E.G. has someone ‘shared to public’ a Office365 SharePoint directory so exposing confidential data to the world?

Security firms are waking up to the gap in responsibilities. For example, PaloAlto now utilises tools to analyse your O365 environment for security discrepancies allowing a higher degree of monitoring and control.

As cloud computing becomes more popular, it will become the target of more malicious attacks. No single environment is safe and every infrastructure must be controlled with set policies in place.