Is the Cloud Safe? Addressing the Biggest Cloud Security Issues for SMBs
This article originally appeared in Volume 2, Issue 1 of <theScript> Quarterly digital magazine.
Cybersecurity is a hot topic these days. Recent reports of cyberattacks — from leading Domain Name Server (DNS) companies, a main search engine/email provider and even the transit system of a major American city — have generated a national conversation around how to be safe online in our digitally interconnected world. It seems we see headlines about a new catastrophic breach each week.
But which of these attacks involved the cloud? Is the cloud secure? And how safe is cloud storage? Although the cloud has been commonly used for some time now, the debate on its security continues. There’s even lingering confusion about exactly what and where the cloud is and if some companies, especially Small and Medium Businesses (SMBs), are using any business applications in the cloud.
The cloud is sometimes used as a synonym for the internet, but that isn’t quite accurate. Let’s define the cloud and explore the legitimacy of these cloud security issues.
Anatomy of the cloud
“THERE IS NO CLOUD. It’s just someone else’s server.” This bold statement was posted on social media a while back. The writer was mostly correct.
The cloud is actually a network of servers. They can be located anywhere in the world and are accessed through the internet. Also known as distributed computing, the cloud provides a way to create and store documents and files somewhere other than the device on which you work. Those files can then be accessed from any device that has an internet connection. The cloud also allows you to run workloads or applications off premises, as needed.
The concept of cloud computing originated as early as the 1960s when J.C.R. Licklider developed the Advanced Research Projects Agency Network (ARPANET) — which eventually became the internet. His vision included an “intergalactic computer network” in which multiple connected computers would support users who could access programs and data from anywhere. This was revolutionary thinking in a time when operating a computer still required manual assistance from trained professionals.
Today, if you use Google Docs, for instance, you actually have lots of servers writing and backing up your content. If a server goes down in one part of the world, you don’t notice because others are intentionally geographically separated with another copy of your work. This process is called replication. So if you’re using a cloud application, the chances of losing a day’s — or even an hour’s —work are pretty slim.
The frustration of losing projects to a computer crash — which happened because we worked and saved everything on the hard drive in front of us — is a thing of the past with the cloud. Reliability is just one of its many benefits.
The cloud holds an even better proposition for businesses, especially SMBs, in that they no longer have to buy, manage and maintain an entire infrastructure. Companies can access all of the resources they need at a fraction of the cost of buying them by basically renting space on other companies’ servers — that is, in the cloud.
Programs such as Adobe Creative Suite and other software are now available on a subscription basis, usually for an affordable monthly fee. This model, typically referred to as Software as a Service (SaaS), allows customers to go online and either download the package or simply log in to a web-based portal to access the program and get to work immediately.
Businesses can also add managed services — again, for a subscription. Companies can acquire a combination of storage, backup, networking, operating systems and other components they need on a platform called Infrastructure as a Service (IaaS), which is managed by a cloud service provider. Managed services can be layered on top of IaaS, just as they would be with an on-premise solution. And they can greatly simplify operations and maintenance for a company that doesn’t want to manage its infrastructure or own it.
Can someone else’s server really be secure?
There’s more focus than ever on keeping cloud systems secure. Today, most technology leaders say the cloud offers a higher level of security than the majority of companies can provide for themselves in an on-premise data center.
Figure 1 shows that 64% of those surveyed believe the cloud is somewhat or much more secure than legacy systems, while 25% believe it offers about the same level of security as legacy systems.
Professional cloud vendors know they can only survive if they’re downright paranoid about security. Their entire business is dependent on being trusted with their clients’ vital data. Since most cloud vendors have greater data center resources than even some large enterprises, they place a premium on security. They invest heavily in the very latest security measures — something that is often unrealistic for small and medium businesses.
Additionally, those security updates and patches are typically provided automatically to customers using their services, which adds the bonus of releasing SMBs from the burden of keeping up with a rapidly escalating threat landscape. Yet, many are still skeptical as to whether the cloud is trustworthy.
Cloud security has come so far that some industry leaders now question if these concerns have been blown out of proportion. As Raj Samani, vice president and chief technology officer for Intel Security in Europe, the Middle East and Africa, explains in his blog post, IDC surveys during the last six years found cloud security to be a top concern for IT professionals. But in a 2016 Intel Security-sponsored survey, the biggest issue reported was related to data migration — not security-related at all.
This disconnect between the concerns and their legitimacy may be more of an issue about trust and transparency than security. Cloud vendors are reluctant to disclose where their servers physically reside, primarily for security reasons. And while these companies should hold certifications, it’s very difficult as an end user to put your trust in a cloud vendor without knowing where your data resides and every detail of security. In addition, no widely used standards system is currently in place that will allow customers a view into the precautions each cloud vendor exercises, or how to evaluate which vendor can best provide security solutions for a particular business.
You’re not off the hook on cloud security efforts.
The reality is maintaining cloud security must be a shared responsibility between the business and the cloud provider. Let’s look at three ways businesses can improve control and reduce risks in the cloud.
- End-user education — There are plenty of factors in your purview your cloud vendor has no influence over, such as your employees. Developing security policies and helping end users understand how to be secure online can go a long way toward gaining their trust. Education should include communicating the latest threat activity you’re aware of and periodically reviewing best practices regarding phishing schemes and other social engineering cybercrime. In addition, it’s important to make sure your IT policies are easy to understand and implement.
Don’t assume a level of knowledge or sophistication on the part of your end users who don’t work in tech areas. People often treat tech tools at work the same way they treat them at home. They may be used to keeping a list of usernames and passwords in their shared Dropbox account or distributing passwords to vendors or others they personally trust — and be completely unaware of the risk involved. You can help prevent this by creating easy-to-access, intuitive guidelines for reference, along with providing regular security screenings.
- Responsiveness — Perhaps most importantly, be sure IT is viewed by your team as a partner and not an unnecessary backlog where tech requests go to die. If the latter is the case, team members are likely to take matters into their own hands.
- Governance — You can and should govern who has access to what. “Shadow IT” develops when employees build onto the solutions stack or step outside user protocol without the knowledge of the IT department. It’s a real concern for all businesses. According to a March 2016 survey by NTT Communications Corp., 77% of decision-makers use a third-party cloud application without the knowledge of their IT department.
Truthfully, your users are likely your weakest link — but don’t be too hard on them. Employees just want to get their work done efficiently. When the business goals are aggressive and time is short, most people tend to use the path of least resistance to complete a task. If your IT department is viewed as “the land of No,” employees will simply bypass it and use the tools they’re familiar with and can access easily.
The best way to combat this is to tap into the needs of end users by having IT collaborate with the different departments in your business. It’s critical to understand what cloud-based tools are being used throughout your organization, and for what purposes.
If you don’t already have a data classification scheme in place, you can create a risk scoring plan by having IT and your other departments decide together what data should never be in the cloud, what can always be in the cloud and any needed midlevel boundaries. For example, a scheme might mandate documents can only be in the cloud if they don’t contain personal customer information.
It’s important to be prepared for both internal and external threats. When an employee leaves the job for any reason, preventing continued access to email and shared services is critical. Former employees may not pose an intentional threat, but they could unknowingly pass on private information or even decide to deliberately expose vital data or intellectual property. More concerning is if an employee is a victim of a cyberattack or has malicious intent.
A good way to alleviate these risks is by instituting policies that determine and limit access. For example, if an inside sales teammate answers product-related calls from customers, he or she likely doesn’t need access to all of the company’s top clients or vendor accounts. Understanding what each job role needs in order to function well helps balance the required access with limited exposure of sensitive data.
In short, you’re more in control of cloud security than some would have you think. With proper policies and employee education in place, your organization can take advantage of agile solutions with confidence.
Looking ahead, the security market will be challenged by more frequent and sophisticated attacks around the Internet of Things (IoT) and cloud computing. Having a comprehensive security strategy will help you understand the next steps your business needs to take to reduce risks and continue reaping the benefits of using the cloud. Research firm Gartner outlines some of the upcoming challenges and offers recommendations in its new report, Predicts 2017: Security Solutions, which is available as a complimentary download from Insight.