Cloud computing is very much the future of computing for many companies. Being able to store your organizational data, structure, settings, and more in the cloud is a great boon for productivity and access. Unfortunately, while this storage medium avoids many of the pitfalls of other mediums, it has its own unique issues that make adoption a balance between risk and benefit.
Today we’re going to take a look at the security risks and challenges of cloud data storage, and what it fundamentally means for an organization. We’ll look at how to potentially mitigate these issues, and how to approach the cloud conceptually in such a way that you can leverage its positives while avoiding its negatives.
What is Cloud Computing?
First, a definition of terminology. Cloud computing is simply the movement of data storage and processing away from local physical disks to remotely aggregated disks. These aggregated disks provide greater size and scalability of data storage available and allows for group tasking of data processing for quicker, more efficient results.
Note that we are not only addressing third-party cloud solutions here. While cloud computing is often bundled with Google and Microsoft in our minds, the fact is that any remotely accessed resource functioning as an aggregate between devices, machines, or storage units that is then used in concert is, in fact, cloud computing.
In other words, just as Google’s massive server farms unifying applications and storage is a “cloud computing space”, so to is your corporate cluster that you remote into via a gateway for processing and storage purposes.
An Issue of Compliance
One of the biggest drawbacks of cloud solutions is the fact that it creates issues of compliance. In a local environment, variables are often easily controlled. Even if you’re not physically near a node or resource, you can set network restrictions and policies on the workstation accessing the local resources, thereby enforcing compliance transparently.
Cloud computing, on the other hand, can lead to instances of poor compliance if the organization is not attentive. Failing to regulate the flow of data, not setting limitations on data access, and even miscategorizing resources can result in huge data breaches that come about much easier than on traditional networks.
Locality versus Digital Intrusion
Another huge issue is the fact that cloud computing is necessarily online – and with that, a resource like this is more exposed. In a traditional system, a server and its resources are behind a firewall, a bastion, a whole host of physical structures that make it so that data is harder to access.
Unfortunately, as cloud computing has become easily accessible, we’ve entered into somewhat of an arms race. While the systems that host the cloud are just as protected as ever, they are always online, always accepting traffic, and always waiting for more. This “more” is not just a single hacker or penetration expert using their local machine, however – they too are leveraging cloud computing to multiply their efforts and their power.
Hacked credentials, poorly restricted interfaces, even bad backup systems have led to a situation where the bad guys are using more power than ever to attack a target that is either very hard or very soft, and very rarely anywhere inbetween.
Cloud computing can be either corporate-based or third party, and when it’s third party, we introduce a whole new host of issues. Corporations opting to use third party cloud solutions lose access to the local physical devices driving the systems, and accordingly make their data less secure and more vulnerable to physical threat. Insider attacks account for a huge amount of data losses regardless of whether it’s cloud or traditional storage, so this is very much a security concern.
Tangential to this is the fact that, for many third party providers, costs are often kept down by storing multiple accounts of data in the same space. This means that private data can be placed on a server directly next to other secure, private data, and in theory, this creates an interaction that can possibly result in a data security breach. While this can be mitigated with data isolation and logical storage segregation, many providers have not widely adopted these solutions.
Another huge issue is that of virtualization. By creating virtual servers and machines rather than relying on the traditional networking paradigm, the nature of communication between the operating systems and the hardware itself is altered and changed. This creates an additional layer of virtualization security that is often overlooked, but is very important to address.
It is this added complexity that has created so many cloud failures in recent years, and until providers acknowledge this additional layer and plan for it accordingly, these issues will continue to arise, reducing the value of integrating the system in the first place.
It should be a shock to most users who want to adopt the cloud for availability that, unless properly managed, availability can be the first thing to go down in a major breach. Distributed Denial of Service Attacks, or DDoS, are the attack de jour of modern hackers. While physical devices can be used in ways to mitigate these attacks, such as rejecting traffic and routing traffic to dumping servers, when you opt for a third party solution (or improperly manage a local one), this becomes much less easy to do.
When an attack comes in, then, the data is often not handled correctly, and availability is reduced. Considering most organizations adopt cloud systems in order to improve their accessibility, this is a gigantic issue.
What then should we do to mitigate these strategies? First, you must be aware of them. In the data space, there is no greater sin than being aware of an issue and not addressing it – so not that you’ve read this piece, you should be aware of potential issues.
Next, address issues concerning compliance and auditing. Sit down with your tech team and plan out randomized and set tests to ensure compliance of data on whatever your cloud solution is, and begin to heavily train these workers to ensure their continued compliance moving forward. As part of this, your company needs cloud specific training, and this is often provided by the vendor of the cloud solution itself.
If you’re using a third party solution, communicate with the provider. Ensure your data is properly isolated and segmented. Many providers will offer you a tour or at the very least a guidebook of all their services. Review them, and ensure they are to your network’s standards and needs.
Finally, address your controls, and implement proper filters, authorization channels, and authentication systems to ensure your data is properly protected. This includes protecting devices that might use APIs and other so-called “backdoors” that hackers love to utilize, and ensuring that your portals and gateways are secure.
It should be said that cloud computing is one of the greatest new technologies. While we’ve spent a lot of time here discussing its shortcomings and inherent issues, the fact is that these are only issues because we allow them to be.
With a proper approach and the right conceptualization of cloud computing, this kind of system can be incredibly powerful and value adding – you just have to go about it the right way.