When people think of cloud computing they can’t help but think of Apple’s online storage and sharing platform, iCloud, and how a slew of recent “hacks” on celebrities accounts shared private photos with the world. The infiltration was later disputed by Apple as being an end-user password issue, rather than a problem with Apple’s infrastructure (click here to read the article). Never the less, the question still remains, “How secure is the Cloud?”
As we mentioned in last week’s blog article, The Cloud – Part 1, “the Cloud” is essentially a marketing term that has been applied to existing technology. This existing technology brings with it, existing security issues. You are entrusting a third-party company with information about your business and, most likely, your customers.
When evaluating potential providers of cloud-based services, here is a list of some of the main security concerns you should keep in mind:
Someone external to your company, a hacker, can attack the server where your company’s data is stored. Cloud computing generally spreads your data over a number of servers hence increasing the number of servers available for an attack.
This is an existing hardware issue. Your laptop, or a company’s server, could fail at any time and so too could a Cloud provider. Backup technology has improved to drastically reduce risks but mass failures still do happen on a regular basis. There is very little you can do about it, apart from doing research on how your data is managed by Cloud vendors, and making sure you and the provider have a good backup systems in place.
This is a new problem, introduced with Cloud services; it is essentially phishing. You log into a “Cloud” and you have your own little virtual section of the processor to use for your purposes. You would normally need to log in through a webpage or a portal, and this opens up your Cloud account to phishing. A cyber-criminal could create a fake webpage and skim your credentials. If credentials are stolen, the wrong party has access to an individual’s accounts and systems. If a Cloud service is hijacked, it allows an intruder into critical areas of deployed services, and gives them the ability to compromise the confidentiality, integrity, and availability” of those services.
Note: Implementing strong two-factor authentication techniques, where possible, and not sharing login details with anyone, included trusted business colleagues, are a few ways you can protect your account.
Denial of Service (DoS)
This type of attack has been around for a while, and is still a threat today. Hackers will flood a particular server with so much information that it gets confused and locked down.
For Cloud webpage hosts, experiencing a denial-of-service attack can be likened to being stuck in a rush-hour traffic jam: there’s no way to get to your destination. All you can do is sit and wait. When a denial of service attacks a customer’s webpage in the cloud, it may successfully shut down access to the webpage but server would continue to try and process all the requests. This could have an added side effect by which you will be billed by your cloud service for all the resources consumed during the attack. The elastic effect was explained in The Cloud – Part 1 article.
Ask your cloud provider what security measures they have in place to protect them themselves and their customers from denial of service attacks.
Disgruntled employees or someone who has obtained your username and password are a huge problem for businesses. This is not a new issue, but it is a very real problem. Look at the damage caused by Edward Snowden. It could also just be a careless employee, who doesn’t understand the dangers of phishing or malware and therefore puts the company at risk. Internet Security Training is vital.
One way to protect data is for a company to keep their encryption keys on their own premises, not in the cloud. Systems that solely depend on their Cloud Service Provider for security are at greater risk.
Abuse of Cloud Services
As with any new technology, the large-scale, elastic services of cloud computing can benefit both end-users and hackers alike. Where it might previously have taken a hacker years to crack an encryption code using his own small-scale hardware, by using numerous cloud servers, he could now break the code in minutes. Hackers might also use cloud servers to deliver malware, launch DDoS attacks or disseminate pirated software.
Accountability for how cloud services are used rests with the service providers, but how are they going to identify inappropriate use? Do they have comprehensive definitions as to what is classified as abuse? How will they protect against it in the future? The answers to these questions are unclear. Cloud customers will need to assess the behaviour of their service providers to see how well they respond.
Stay tuned next week for the final instalment of this topic, detailing a few more of the security concerns you should mitigate against when using Cloud Services.