Posted in:

Just how safe is cloud security?

Many organisations not only feel more secure about migrating all of their sensitive data into cloud-based services: some, in fact, believe it’s the safest place. By James Hayes.

Enterprise cloud computing has been closely linked to information security – inextricably, some might argue – since the third-party shared computing concept emerged in the mid-2000s. Given the scale of operational IT change that the cloud model represents, that’s hardly surprising; the fact the cloud services industry was for years made up of new, untested would-be service providers, was an additional inhibitor; and it’s arguable that only since ‘big name’ brands like Microsoft (Azure) and Amazon (Drive) have entered the fray that big name organisations have brought forward their cloud adoption plans.

Caution among IT chiefs has been understandable, and sometimes inevitable. Before cloud blew in, most sizable organisations held their critical data on self-owned storage resources, using on-premises systems, or those located within private or independent data centres. The notion of paying an external third-party cloud hosting company to store even non-critical enterprise data on their storage systems/data centres was deemed by many organisations as unacceptably risky.

How could they know that a cloud service provider could be trusted not to look at, copy, delete or disappear completely with valuable data? Moreover, even when they were persuaded a cloud partner could be trusted not to do any of these things, how could they be sure that their defensive IT security was as strong as self-managed security? These and other questions dogged cloud acceptance for many years.

Another inhibitor that took some time to overcome was resistance on the part of senior managers to having critical datasets trafficked around between virtualised storage volumes that might exist in physical locations hundreds of miles – or even countries – apart.

“Most CEOs have the idea that data is suddenly less secure in the cloud,” Pete Langas, Director/Sales & Business Development at cloud services provider Nerdio, has blogged. “After all, if a file is constantly being uploaded and downloaded to and from a remote server, it’s now vulnerable in three places instead of one: on the server, on the host computer, and in transit.

Right? Wrong… The major way that cloud providers keep your data safe is through encryption, which includes both ‘at rest’ (meaning once the file has been downloaded) and ‘in transit’ (meaning while the file is being accessed) encryption. This means that even if a file were intercepted by a rogue user during a download, they wouldn’t be able to access the critical data contained inside.”

Cloud is the securer option: true or not?

Cyber-resilience also became a yardstick by which to measure the ‘maturity’ of the cloud services industry. ‘Maturity’ is a somewhat catch-all phrase that pertains to range of issues which range from scalability and stability, to tech support and price model flexibility. Cloud services providers soon understood that in order to offer a compelling cost model alternative to client-owned IT counts for naught if they could not demonstrate that the services they offered were as cyber-secure as it gets.

Cloud cyber security has acquired another resonance. The growth of cloud adoption within the context of wider changes within the broader context of executive governance means that board and c-suite-level officers have moved closer to the cloud decision-making process.

As importantly, to ensure that cloud adoption plans align with necessary organisational governance models and regulatory compliances, and also align seamlessly with core line-of-business and other critical applications, leaders want to access as much knowledge and insight on this topic as they can find. Increasingly, their information requirement has been met by freely-available guidance published into the public domain each quarter, selected examples of which are drawn from here.

Ixia’s latest Cloud Security Report states that 2018 was ‘the year many IT organisations shifted their focus from cloud migration to cloud operations’. Many of those organisations expected cloud infrastructure would bring improved security, and have fair reasons for doing so. The cloud industry generally has always pleaded the case that cloud offers as good as, if not superior, security because the client data it holds is customarily encrypted for storage (not that encryption blocks actual access breaches).

Some analysis would support this, and go so far as to suggest that the issue of concerns about cloud security has actually turned the other way, with improved security being a factor that drives some organisations to opt cloud. According to Gemalto’s Global Cloud Data Security Study 2018, for instance, more companies now move to cloud providers in the belief that they will actually improve their information security. While, for the Gemalto sample, cost and faster deployment time are the most important criteria for selecting a cloud provider, security as a winning factor increased from 12% of respondents in 2015 to 26% by 2017. It’s about more than keeping static data assets safe.

Line-of-business application hosting

The secure hosting of line-of-business applications is another emergent trend that complicates cyber security strategy. This is because it creates an extra vector of attack for cyber threats. The trouble is that not all enterprise applications are hosted by secure providers using secure cloud environments.

In many instances, ‘enterprise applications’ include those made available to workforces by ‘unofficial’ third-party providers – usually in the form of smartphone apps – where employees are using apps to support their core line-of-business tasks, and in doing so provide opportunities for hackers to circumvent standard enterprise cyber security safeguards.

AT&T’s latest CEO’s Guide to Cloud Data Security reveals that recent analysis of global cloud usage data found that the average organisation uses 1,427 cloud services – each represented by an app on at least one employee’s phone. Cloud services account for 71% of services used by the average organisation, the Guide reports (‘consumer’ services account for the remaining 29% of business use).

The type and value of data that’s being stored and accessed via cloud services is changing apace. According to the 2018 Guide To Managing Cloud Security white paper from the SANS Institute (sponsored by Tenable), businesses and other organisations are now storing more sensitive customer-related data – personally identifiable information (PII) and healthcare records – in cloud environments. The 2017 SANS Cloud Security survey found that 40% of respondents said they were storing customer PII in the cloud (compared to 35% in 2016) and 21% stored healthcare records in the cloud (up from 19% on 2016).

With customer PII, this need is being encouraged by the fact that multiple parts of an organisation want to access the same data records for different purposes – e.g., CRM, marketing, new business development, data analytics. The cloud model is suited to this requirement, as scalability and flexibility can be added on demand. This enables a wider range of business functions to access the same data sets without the need for duplication; and so the margin for error that duplication creates is reduced. Alas, this also means that cyber threats target cloud services to get at that highly-desirable commercial data, which means that cloud is subjected to more intensive attack levels.

Scalability is a cyber security attribute

There’s some evidence that if cyber security does not scale in line with greater cloud operations, it opens fresh tears in the cloud attack surface. Ixia’s Cloud Security Report notes that its research (and that of third parties) suggests ‘a darker truth’ hides behind the ‘silver lining’ of the cloud: data breaches are up nearly 45% year-over-year, and one survey found that nearly 75% of companies studied had ‘one or more’ serious security misconfigurations.

Ixia concludes that ‘the evolution of cloud security practices trails behind the mainstream adoption of cloud operations’. This scenario illustrates for senior executives the unseen risks of initiating new business initiatives without also reviewing likely commensurate cyber security implications to their businesses.

The need to ‘retool with a focus on people’ is evidenced by one of the findings of this research by the 2018 Oracle and KPMG Cloud Threat Report: the emergence of a new role: Cloud Security Architect (CSA).

The increasing prominence of the CSA as a core member of new cloud security teams is indicative of the recognition for many organisations that the need to retool for the cloud means bringing on board not only individuals who can fill a technical skills gap, says the report’s authors, but also those who can ‘strategically architect a cyber security strategy aligned with the speed of the cloud’.

“Traditional security architects often focus on broad-reaching security topics that impact the on-premises, mobile, and cloud world,” says Greg Jensen, Senior Principal Director/Security at Oracle, writing in the Oracle & KPMG Cloud Threat Report. “This role has become a bit of a ‘jack of all trades’ role. The CSA was created to be the ‘master of cloud security’ who understands every security- and compliance-related challenge” that a business owner or infrastructure, platform, or app team could run into with new cloud build-outs.