Is the cloud as safe as they say it is?
Credit: Cloud image via Shutterstock
By 2014, cloud computing is expected to become a $150 billion industry. And for good reason — whether users are on a desktop computer or mobile device, the cloud provides instant access to data anytime, anywhere there is an Internet connection.
For businesses, cloud computing also offers myriad benefits, such as scalable storage for files, applications and other types of data; improved collaboration regardless of team members' locations; and saved time and money by eliminating the need to build a costly data center and hire an IT team to manage it.
Most businesses, however, have one major concern when it comes to cloud computing: Exactly how safe is the cloud? Although most reputable cloud providers have top-of-the-line security to protect users' data, experts say there is no such thing as a completely safe cloud system.
From security holes to support issues, below are eight risks all users take when migrating to and storing their data in the cloud.
1. Someone else is looking after your data
Unlike a data center, which is run by an in-house IT department, the cloud is an off-premise system in which users outsource their data needs to a third party provider. The provider does everything from performing all updates and maintenance to managing security. The bigger picture, however, is that users are trusting their data for someone else to look after, said Steve Santorelli, a former Scotland Yard detective, now manager of outreach at the Internet security research group Team Cymru.
"The downside is that you are abrogating responsibility for your data. Someone else has access to it and someone else is responsible for keeping it safe," Santorelli said.
Although cloud providers may ensure your data is safe, Santorelli said some are not always looking after your best interests.
"No business is ever going to be as rabid about looking after your data as you would or should be. They are in the business of making money from you, after all. Securing your data sometimes becomes a marketing mantra more than a way of life," he said.
Any time you store data on the Internet, you are at risk for a cyberattack. This is particularly problematic on the cloud, where volumes of data are stored by all types of users on the same cloud system.
"The scary thing is the vulnerability to Distributed Denial of Service (DDoS) attacks and the concentration of so much data," Santorelli said. "The single point of failure is the cloud. If something goes bad it impacts a very wide group of people. It's easier to steal and disrupt in bulk."
Although most cloud providers have stringent security measures, as technology becomes more sophisticated, so do cyberattacks.
"When cloud companies get the security right — and many actually do a pretty reasonable job — then miscreants have to get creative to get to the data," Santorelli said. For instance, instead of hacking the cloud, hackers will attempt to hack your account instead.
"Passwords and secret answers become the soft underbelly of your security. Just like when banks made online account hacking harder, the miscreants turned to phishing to get around the restrictions and steal your passwords," he said.
3. Insider threats
Just as cyberattacks are on the rise, so are security breaches from the inside.
"Vodafone's breach of 2 million customer records and the Edward Snowden breach at the NSA are wake-up calls that the most serious breaches are due to insider threats and privileged user access," said Eric Chiu, president and co-founder of HyTrust, a cloud infrastructure control company
Once an employee gains or gives others access to your cloud, everything from customer data to confidential information and intellectual property are up for grabs.
"The cloud makes this problem 10 times worse since administrative access to the cloud management platform, either by an employee or an attacker posing as an employee, enables access to copy and steal any virtual machine, undetected,
as well as potentially destroy the entire cloud environment in a matter of
minutes," Chiu said.
4. Government intrusion
With the recent NSA leaks and the ensuing reports on government surveillance programs, competitors aren't the only ones who may want to take a peek at your data.
"Something that has been in the news recently is that government entities and technology companies in the U.S. and elsewhere may be inspecting your data as it is transmitted or where it resides in the Internet, including within clouds," said Scott Hazdra, principal security consultant for Neohapsis, a security and risk management consulting company specializing in mobile and cloud security.
Granted, privacy has always been a concern with the cloud. But instead of just worrying about competitors, disgruntled customers or employees breaching cloud security, businesses now have to worry about government intrusion as well.
"Loss of confidentiality to data is not a new risk; however, the threat sources might not have been one companies were previously worried about," Hazdra said. "For instance, a company may have a concern that competitors will try to steal their data so they encrypt transmission and storage of it. Now that someone other than a competitor may be interested in that data doesn't fundamentally change the risk."
5. Legal liability
Risks associated with the cloud are not limited to security breaches. They also include its aftermath, such as lawsuits filed by or against you.
"The latest risks to using cloud for business are compliance, legal liability and business continuity," said Robert J. Scott, managing partner of Scott & Scott LLP, an intellectual property and technology law firm. "Data breach incidences are on the rise, and so are lawsuits."
Scott, who is also a cloud law speaker and author, said that while the cloud is all about ease of access, collaboration and rapidity, its benefits have to be weighed against the extent of security measures.
"Information security has always been finding a balance between ease of access and the sharing of information verses completely locked down security," he said. "The more you have of one, the less you have of the other."
6. Lack of standardization
What makes a cloud "safe"? A provider could have the latest security features, but due to the general lack of cloud standardization, there are no clear-cut guidelines unifying cloud providers. Further, given the plethora of cloud services in different sectors, this is especially problematic for users when determining exactly how "safe" their cloud really is.
"The question of how safe the cloud is has many facets, and the answer depends on the cloud services provider, the type of industry a company is in, and the accompanying regulations concerning the data it is considering storing in the cloud," Scott said.
Since not all cloud providers are built the same, one provider's definition of "safe" may not be the same as another's, Scott said.
7. Lack of support
Imagine being unable to access your cloud before a big meeting or, worse, being in the middle of a cyberattack that has taken down your entire bread and butter —your website. Now imagine trying to contact your provider, only to find that their customer service is nonexistent. While some cloud providers have excellent customer support, others could leave you in the cold.
"The most frustrating thing when something goes wrong is not being able to speak directly with an engineer," said April Sage, director of Healthcare Vertical at Online Tech, a cloud provider specializing on compliant cloud hosting.
"If your systems are not mission-critical, you don't need to worry so much about security and availability," Sage said. "However, if you support mission-critical systems, or your online presence is critical for your business to operate smoothly, you have to be prepared to invest in a cloud and cloud provider that is capable of providing a level of protection commensurate with your needs."
8. There's always a risk
The biggest risk when it comes to cloud computing is that you never know what is up ahead. Hackers have been around from the start and they are not going anywhere any time soon. And as technology advances, so do the risks that come with adopting them.
Given these current and future dangers, do the benefits of cloud computing outweigh its risks? Neil Rerup, author of "Cyber Peril" (Sutton Hart, 2013) and founder of Enterprise Cybersecurity Architects (ECSA), said it depends on the business.
"The cloud is not for everyone," Rerup said. "Like with all solutions, you have to weigh what level of risk you are comfortable dealing with."
For business using or considering migrating to the cloud, all you can do is be as prepared as you can possibly be. The key is getting to know providers as much as you can, both as a company and from an end-user perspective.
"Using cloud solutions is like kissing someone you don't know — you don't know what types of germs they have and whether you'll catch something from them," Rerup said.