Last but not least, here is the 3rd and final chapter related to the Cloud. Listed below are a few more security concerns you should bear in mind when evaluating potential providers of cloud-based services:
Insufficient Due Diligence
Most businesses are jumping feet first into cloud computing, without really understanding exactly what they are signing up for. Without a clear understanding of the type of environment a service provider is running and what protections they have in place, customers have no idea how their service provider will handle incident responses, encryption of data, and security monitoring. Not having this information means that businesses are agreeing to unknown levels of risk that are a far cry from their current risks.
Expectations between customers and service providers need to be managed. What are the contractual obligations for each party? Who’s liable for what? How much information can a customer expect to receive from the provider when an incident occurs?
Businesses may choose to move their existing applications into the Cloud. If enterprise architects don’t understand the cloud environment, their application designs may not function with proper security when run in a cloud setting.
When you login to your own Cloud account, you are essentially using your own little section of the cloud server, similar to using “Account Profiles” in Microsoft Windows. You can load your own software, and have your own settings in your profile, but you also gain the use of whatever software is accessible to all account profiles (like the Operating System).
For example, the main cloud server may run Windows, but in a virtualised world, you can run whatever operating system you like in your individual profile. This multi-layer software comes at a price though. You accumulate multiple layers of security flaws! Depending on what software you are using in your profile, and what software and plug-ins are running on the main computer processor, you are vulnerable to whatever security flaws each piece of software has.
The cloud is all about shared infrastructure, and an incorrectly configured operating system or application can affect all those using that particular cloud service. Defensive processes should be put in place for the use of compute, storage, networking, applications, and user access. Users should monitor for destructive behaviours.
Secure Data Transfer
There is an Internet connection between your PC and the Cloud and all data traffic must travel across this connection. There is always potential for someone to intercept the data while it is in transit if the connection is not secured. Only connect to your cloud provider using an “https” URL. Ensuring your data is encrypted and authenticated using protocols such as Internet Protocol Security (IPSec), will mean that your Internet traffic is protected. Also, for many home users, they forget to set up a secure Wireless Network. By having unsecured Wireless, not only can someone living close by use your Internet connection, but hackers have an open door into your network too.
Secure Software Interface
Users should be aware of Application Programming Interfaces (APIs) used to interact with their cloud service. Weak APIs with numerous security flaws can open up users to issues related to confidentiality, integrity, availability, and accountability if hackers create fake web pages, which look like your Cloud login page, to steal credentials. You should learn how any potential cloud provider integrates security throughout its service, from authentication and access control techniques to activity monitoring policies.
Secure Stored Data
All files stored on cloud servers should be encrypted; otherwise a hacker can simply copy files and open them easily. Check with any cloud providers you are considering, as to how they secure your data when it is both in transit and also when it’s on their servers and being accessed through cloud-based applications. It is also important to find out how the providers securely dispose of your data (by deleting the encryption key, for example).
User Access Control
Any data stored on a cloud server can potentially be accessed by an employee of the cloud provider and you have no control over those personnel. Ask providers about the employees who manage your data and what level of access they have to it. You should also think about the sensitivity of the data you are storing in the Cloud. Be aware that it is a potential security risk if email, for instance, is stored in the Cloud.
In conclusion, all of the security issues covered in our 3-part blog article should definitely be addressed with your cloud provider before you entrust your data to their servers and applications. However, you should not be deterred from using the Cloud. Cloud computing offers small businesses a great deal of benefits. If you think about it, you have already encountered most of the security challenges detailed above from simply connecting your network to the Internet.