There’s no denying that the incredible pace of technological innovation and development over the last decade has dramatically altered how we do business. More and more companies rely on cloud-based services for their data storage and collaborative needs, and the majority of workers are well used to firing off an email or two from their smartphone while on the go. However, the changing nature of how we work and the shortcomings of cloud security have left us more vulnerable than ever before when it comes to potentially sensitive data.
Potential security risks of your Cloud Computing Solution
Cloud computing offers many benefits, such as cost reduction, greater access to applications, and greater flexibility and accessibility. However, it must be recognised that when it comes to cloud security there are several areas of increased vulnerability when compared with traditional internal infrastructures.
Chief among these areas of vulnerability is the risk of being blindsided by the potential shortcomings of a cloud solution. Quite often, a cloud service will be implemented as a quick interim solution. However people tend to focus on specific threats and controls, such as location of data or data encryption standards, without considering the totality of the service from a confidentiality, integrity, availability and accountability (CIAA) perspective and its projected lifecycle within that organisation. Essentially, one workload in the cloud can have an impact on the whole IT infrastructure. It’s vital to always think holistically when it comes to cloud security and services.
Always be aware of your supply chain
Another potential risk of using cloud services is the often complex supply chain relationship with the service provider. One example of this is when one service provider assumes all of the contractual and compliance risk from the customer. However, the provider’s service could be built upon Internet as a Service (IaaS) from another provider who in turn is white-labelling the same service, and so on. Often, the provider at the end of the chain has non-existent OLAs and SLAs, and contracts with separate IaaS, co-location and DR providers. In cases like this the first provider may have European standard assurance around location of data, but this assurance may bear no relationship to how and where backup, disaster recovery and log management services are actually stored – by invisible organisations down the supply chain. This can put the customer, as well as the prime service provider and others in the chain, at unacceptable contractual and data protection risk.
Cloud Security concerns both stifling and driving the market
It’s ironic, but cloud security concerns such as those outlined above are both stifling and driving the market. Sometimes, organisations that are aware of the security limitations of programs they are running seek appropriately secure public or private cloud-based services. In other cases, certain organisations won’t even consider cloud services, primarily due to their failure to adopt appropriate cloud risk assessment or assurance approaches. Ultimately, appropriate cloud adoption is simply being driven or limited by inertia, lack of a clear business case for migration to the cloud, or by waiting for significant upgrade or replacement cycles for on premise solutions.
Mobile security – “BYOD: Bring your own Disaster”
Another potential and growing threat area is, of course, mobile. Now that more and more of us are working on the go it is paramount that we consider our mobile security protocols. Hackers are becoming more and more sophisticated, and the current threat landscape is punctuated by a combination of highly specific, credible, and targeted attacks against customers and organisations or key personnel within organisations such as C level execs, system administrators, accounts departments, etc., coupled with advanced evasion techniques to defeat the legacy security infrastructure and controls that many organisations still employ.
In some cases these advanced technologies are being deployed through simple techniques like phishing, social engineering, poor patch management or weak credential management. In most cases the hacker has a specific ROI, usually medium and high yield financial goals with less and less “hactivism” being employed.
Mobile threats imminent
However, despite all this, and in particular the inherent vulnerabilities of mobile devices, mobile still rates low as a vector, actual attack, or compromise in incident response and investigation services. Most of the noise in this area stems from security vendors creating hype about their solutions on the mobile platform. In the medium term, though, with greater adoption of higher yield business and consumer activity on mobile platforms such as ERP/CRM, B2B banking, and other payment and wallet use cases, mobile will become a much more significant attack vector for the bad guys.
For best practice advice on how to secure your cloud computing and mobile solutions contact Ward Solutions today and watch out for Part 2 for robust cloud security recommendations.