Cloud security is a huge worry for small, medium and large enterprises. Solving the cloud computing security problem actually has benefits for business. Craig Balding -- the founder of Cloudsecurity.org -- actually wrote a list of seven technical security benefits of the Cloud. Sererra.com has a blog post titled, “Head in the Clouds: What to Consider Before Taking the Plunge”, raised a point about Cloud Security. An important point to consider from this post – as far as security was concerned – was that :
“...roughly about 36% of U.S companies that participated in a Cloud Computing Users Study - a Ponemon Institute study, in partnership with CA - are vigilant with respect to audits, assessments and evaluation of cloud computing resources."
That’s a worrying statistic. Here’s exactly why it’s bad news and how certain security threats risk businesses (along with best practices in cloud computing that your cloud vendors should use):
Threat #1: The Abused Cloud
Cloud computing, as a service genre, is evolving at this stage characterized by weak registration protocols, authentication systems that promote anonymity, and limited fraud detection mechanisms. While the Internet is rife with security breaches, threats, and intrusions, criminals continue to ransack vulnerable IT systems by leveraging new technologies.
Best Practices
Invest in strict validation or authenticating systems, use fraud monitoring effectively especially where financial transactions are involved, introspect network traffic and monitor network constantly.
Threat #2: How Secure is that Interface?
Most Cloud Computing vendors such as Netsuite, Salesforce and INTAACT deploy API to help customers use these services. As such, most cloud computing providers have security integrated into these service models. Using APIs cloud vendors provide, manage, orchestrate and monitor their services rendered to their customers. Security issues come from insecure interfaces and weak APIs. In case of vulnerable interfaces or APIs within a cloud service model, a company’s integrity and accountability is at immediate risk.
Best practices
Analyze the security model of the interfaces and APIs cloud computing vendors use. Ensure use of strong authentication and
access controls along with encrypted transmission of data and gain an understanding of the dependency chains associated with APIs.
Threat#3: Malware, scrupulous insiders and troublemakers
Most organizations already suffer the wrathof malicious insiders. The impact these insiders make on the companies they attack is considerable. Insiders enjoy access and know-how on how to infiltratenetworks and assets that belong to the organization (brand specific knowledge, precious customer data, financial records, etc). Therefore, they jeopardize thevery foundation the company. They affect operations; pilfer, erase or steal data; and cause productivity losses. With cloud computing in the picture, the human involvement is more profound. Businesses become susceptible to losses, jeopardy or even crime.
Best practices
Clients need to understand how cloud vendors detect intrusions from malicious insiders. What checks and balances do cloud vendors have for defence? Ideally, cloud vendors should enforce strict supply chain management, conduct a comprehensive user assessment( including clients’ suppliers), float legal contracts with specifications on use of cloud computing services for all users, bring about transparency on all information and management practices, establish sound compliance reports, etc.
Threat#4: The Shared Cloud?
Think about it: multiple businesses patronizing the same cloud computing vendor necessitate shared technology. Cloud computing itself runs on the premise that IT infrastructure is scalable, shared and resources are distributed. Disk partitions, shared servers, CPU caches, etc., are all shared between multiple clients. Doesn’t that make it easy for attackers to gain unauthorized data? Aren’t there higher chances of attackers gaining access to critical business information?
Best Practices
One client of a cloud computing provider should not have access to another client’s data, network, information, etc.
Does your cloud vendor use security best practices? Do they have tools in place to monitor network environment constantly to check on any unauthorized activity? Do they have strong SLA (Service Level Agreements) in place for remediation? Does your provider conduct vulnerability scans and regular audits?
Are you keeping a watch on your cloud?
If you need more help with using cloud services the right way, talk to us.