Businesses large and small are realizing the benefits that come with cloud computing. The scalability that allows you to easily grow (or shrink) your operation, the agility that enables you to make quick changes, the cost-effectiveness that can save you money: the cloud seems like a no-brainer. However, with increased cloud adoption rates come increased cloud computing security issues.
According to eweek, “enterprise cloud adoption continues to grow at increasing speed and organizations recognize the productivity and cost savings that emanate from moving off an on-site legacy system to a distributed cloud environment.” The Could Security Alliance’s Notorious Nine lists top threats like abuse and nefarious use, insecure interfaces, malicious insiders, and others.
Some industry insiders weighed in on the top cloud computing security issues and their solutions.
1. Water hole attacks
Neeraj Khandelwal of Barracuda explains “as organizations become better at fighting spam and phishing, water hole attacks are the latest tricks in the attackers’ toolkits that silently compromise all the users of these trusted web applications, via their web browsers.”
The water hole attack is a 3-step process. First, the attacker does some reconnaissance and research on its target, in which they find trusted websites often visited by employees of the target company. Second, attackers insert an exploit into the trusted sites. Finally, when your employees visit the trusted site, the exploit takes advantage of their system vulnerabilities.
The solution? Vulnerability shielding: update and patch all software regularly to limit possible access points.
2. The government and other spies
Dave Meltzer, VP of Engineering for Tripwire and a cloud security innovator says, “If a government entity wants access to my data, at least they need to come to me and tell me they want it. Once that is moved to the cloud, all visibility to that is now lost – they go directly to the cloud provider and cut my organization out of that loop.”
To solve this, use the cloud wisely: reap its benefits, but do not let anyone (even your cloud provider) have access to your encryption keys. This is not only possible, it is a recommended best practice. This way, even if the government requests (or otherwise gains access to) your cloud provider’s information, they still cannot get yours.
3. Compliance with data privacy laws in multiple geographies.
Velocity Technology Solutions VPs Marcello Burgio and Jim McInnes, note “Technology – specifically the cloud – gives businesses the power to achieve a cloud that crosses borders; however, the reality is that in many cases the varied laws that must be complied with around the world can seemingly handcuff a business’s ability to take full advantage of the cloud’s innovative offering.”
The architecture of your cloud environment is key and you must understand the respective data storage regulations in the countries you operate in. In general, you must look for cloud security solutions that are compliant with regulations like HIPAA, PCI DSS, EU data protection laws, or whichever laws apply to you. In practice – encryption makes this a lot easier. Use a cloud encryption solution to show that your data never left home (at least not in a readable form). Most regulations, including the EU’s very restrictive regulations, accept that this is a good solution.
4. Liability for Breaches
Amit Cohen of FortyCloud, a company whose mission is to promote migration of enterprises to the public cloud, may have put it best “while you can transfer your apps and data to the cloud, you can’t transfer liability.”
Amazon Web Service’s own security center explains that the cloud provider has secured the underlying infrastructure and you, the client, must secure anything you put on the infrastructure.
What does this mean for a company who wants to migrate to the cloud, but is concerned about their liability?
It is easiest to think of it this way: while the cloud has many benefits, elimination of liability isn’t one of them. Like you were responsible for the security of your data in the data center, you are also responsible in the virtual world. This means you should use split-key encryption technologies to ensure that only you control your data. Your cloud provider shares responsibility for the infrastructure, you are still responsible for your apps and data.
How easy or difficult is it?
Lots of good advice; how doable is it?
Find solutions that require no hardware: that is the best fit for cloud environments. Of course, the solutions must have top notch security built in. That requires innovation – the onus for that innovation should be on the security provider, not you. In short, a solution should give all the benefits and up in minutes too.
So, make sure you limit your vulnerabilities, do not let anyone have access to your encryption keys, comply with all required laws and regulations, use encryption to make your life easier, and understand that you share responsibility for liability.