Cloud Computing Security

Cloud computing security should be a concern for all businesses. It involves serious risks that could harm a company for a long time.

As useful as cloud computing can be – as seen in the cloud
computing advantages article
-, you have to be aware of the security risks associated with it or it could cost dearly.

There are 5 main security risks associated with cloud computing.

Security risk #1: Outsourcing of confidential data

By putting your files on an outside server, you lose a bit of control over who has access to it. Your data is no longer under your roof.

Unauthorized access

One of the first questions you should ask yourself when putting critical business
information on someone else’s server is: Could it hurt your business if someone has unauthorized access to this data?

When you store your data in-house, you take care of allowing the right security to the right person. For example, critical financial data will be viewed only by
upper-management.

When you do this on an outside server, you’ll do the same, except you don’t have full control over who views that data. You can control what happens on your side, but you can’t on their side. Let’s say you use Dropbox to store sensitive data. You can select who has the permission to view your data, but what you have to  remember is that employees at Dropbox can also have access to your data even if you don’t authorize it – the same way a network administrator can have access to the president’s data if he wishes to. Let’s be clear, they are
not supposed to do so, but it is a possibility.

So, could that hurt the company? If you put on your online drive your brand new project that has been in R&D for the past 5 years, are you sure nobody else
will have access to it?

Data aggregation

Another risk you have to be aware of is data aggregation. What is it? Let’s take for example my personal Gmail account. I know Gmail is using my data to know me: their algorithm scans my email and establishes a profile. That way, they can show me ads related to my interests. That’s ok, that is why their software is free.

Let’s say now that you use Google for your business emails. It is very practical. But, if all your company’s emails are stored at Google, could they know more about your business than you’d like to? Could their algorithm build a company profile and know what you’re up to, who your sales people are and what are your margins. You would be surprised all the information you can get when all that data is available.

I’m not saying the cloud computing providers are doing that. Most of them will have addressed that clause in their user agreement and are very credible
companies. But still, ask yourself if that would put your company in peril if someone has access to that kind of data.

You also have to know that companies can change their policies at any time. One day they can say that they will not sell your information and the other change
their policies and sell it. It is not something they are likely to do, but you have to know that this is a possibility.

Again, go with a credible, well-known company and you should be just fine.

Security risk #2: Data accessibility and servers’ stability

Another cloud computing security issue is your data accessibility. What if you put all your data in the cloud and the servers are not accessible for a long period of time. Will you still be able to run your business?

Of course, making business with a credible, well-established company and using high-end services will reduce considerably that cloud computing security risk,
but it still should be a concern. See the article cloud computing providers
for
more information.

I as am writing this article right now, my domain host for my company’s site is down. I always had a good service with that provider, but on November 12th,
2012, all theirs sites were down. I don’t really mind since I don’t run businessnsoftware.com on this provider, but if someone runs their main business website on this provider, this could mean a lot of money lost for them.

The same thing could be said about the internet connection. What if it was down for a couple of hours or, worse, a couple of days? Would that put your business to
a halt?

The worst case scenario would be that the provider goes out of business. The risk is minimal if you choose a well-known provider, but what would you do in that
case? Can you host elsewhere quickly, do you have quick access to your latest data?

Security risk #3: Unauthorized access to your data

Hacking

This is a different cloud computing security concern that the first one. Here we’re not talking about the credibility of the provider, but more about the fact that the provider can be a victim of an attack.

As I already said in my cloud computing advantages article, the fact that their core business is data storage means that they will be more secure than your company’s server (except maybe for large enterprises). But, it also means that they are more subject of being a victim of an attack.

The bigger they are, the more money they will put to into IT security. But it also means that more people will try to have access to their servers. Keep in mind
that absolutely no system is completely safeguarded against being attacked. If a group of hacker wants to have access to someone’s computer, they will find a way.

The example of the 2011 attack against the CIA is a good one. There are probably very few companies or agencies worldwide that puts more money in IT security and surveillance than this one. And still, hackers have been able to access their website servers. Imagine what they could to a small cloud computing provider or even big ones.

You have the same problem with your own private servers, but let’s face it: you have much less chance of being victim of a hacking attempt than Amazon or Google. They will be tougher to crack, but when they succeed, the benefits for the hacker will be much higher.

Patriot Act

Another thing you need to know is that the ratification of the patriot act in the United States in 2001 has changed things. The bill states that, under specific circumstances, the government’s agencies can have access to any data stored on any server in the USA.

So what does it mean for you? It means that a USA government agency could seize the servers of your cloud computing providers. If your data is on that server, they can have access to it legally.

A quick example will show you the legal implications. In Canada, the law states that government agencies are responsible for the protection of the citizens’ confidential data. The data stored by the government on its citizen cannot be accessed without the written consent of the person. Since the patriot act states that the United States government could have access to confidential data without prior consent, it is therefore illegal for Canada’s government agencies to store data on any server that is located in the United States. See the implication here? It means any university, parapublic agency or any company that has government information cannot store this data at Google, AmazonS3 or any cloud providers which servers are located in the USA.

Privates companies don’t have that obligation, but it is still a good thing to know. Making a mistake here could have serious legal implication.

For more information, visit the official Patriot Act website.

Security risk #4: Data encryption

Transmissions’ encryption

When you transmit data over the internet, it is by default not encrypted. This means that anyone that wants to “read” what you are transmitting is able to.
Of course that person would need some technical knowledge, but it’s really not that hard. So this can be an important cloud computing security issue.

So, when you use a cloud computing service and transmit confidential data, make sure that the data is encrypted. One way to know that is to look for the prefix
“https” instead of “http” on your browser address bar (the “s” means “secured”). Each browser represents it differently, but you’ll also have a lock pictogram (in the following image, I used Mozilla Firefox).

Note you can also secure transmissions for emails and other services. Your cloud computing provider will supply that information.

Please note that this does not mean that the data on the server is encrypted. It just means that between the time that the data is sent from your computer and
received by the server, it cannot be read by someone else.

Server-side encryption

Rarely have I seen data encrypted on a server. Generally, companies will make sure that only the right employees has access to sensible data and that the server
cannot be hacked. But the data on the physical hard drive won’t be encrypted.

The main reason for that is that encryption adds too much load on the server so it can be much longer to save/retrieve data (each time you access, let’s say your
word document, the server has to desencrypt the file and encrypt it back when your save it).

So your data in the cloud probably won’t be encrypted. If someone is able to access your data, he will be able to read your files just like you can read this article.

One thing you could do is manually encrypt each and every file before sending it on the server, but it is time-consuming and you probably won’t do it for long.

One thing you can do is to encrypt only critical business data. But once again,  remember that is someone really want to have access to your encrypted file, they
will probably find a way.

Security risk #5: Backups

Backups are a also cloud computing security risk. Making a backup of your data is essential.

You do know that.

What you maybe don’t know is that the data in the cloud is not necessarily backed up. And even if it was, you don’t know how long it would take for the cloud provider to restore your data if something happens.

That could mean big trouble if you store your day to day data on the cloud.

A good example is Google’s 2011 Gmail failure. Tens of thousands of people lost their emails. Even though data has been recovered, it was a big warning for all the users.

This also applies to databases. If you use an online software (SAAS), don’t forget to do local backups of this database. If anything happens– the company closes or they are victim of a major crash – at least you’ll have your business’ data in hand.

Final recommendations

After seeing all those cloud computing security risks, you may wonder if cloud computing is safe? If you do your homework well, yes it is. But also remember that security in IT is a balance between the resources put into security – money and time – and the related risk. So know your needs and your provider and you should be fine.

That being said, don’t forget that the weakest link in IT security is generally the user, not the systems.

 

Home > Cloud Computing > Cloud Computing Security

Erik
Latest posts by Erik (see all)