Like alligators in the sewers of New York, cloud security concerns are an urban legend that just won’t go away.
Although worries about hacker attacks are abating somewhat (the IDG Enterprise 2014 Cloud Survey found that 74% of respondents are either confident or very confident in the security of their cloud providers), concerns about data loss and privacy continue to frustrate broader adoption. A 2014 survey by KPMG reported that 53% of respondents said data loss was the biggest challenge to doing business in the cloud.
The root of the security concerns is the shared nature of cloud services and the loss of physical control. The thinking is that if you have the data and equipment in your possession, then it’s less likely to be compromised. “There is a natural perception to believe that things outside of my control are innately less secure,” said Tim McKellips, manager of technical services at systems integrator Softchoice, in an article in CIO.
But the reality is that in an age of bring your own device (BYOD) and telecommuting, physical security doesn’t matter very much. Among the high-profile customer record thefts of 2014, one breach occurred when thieves hacked into an in-store Wi-Fi router, and another when attackers compromised a server that had been set up for a charity event and never taken off the network.
Cloud service providers have little choice but to deliver world-class security. Without it they can’t compete for lucrative business from big customers in industries like financial services and healthcare. “These services are typically designed against a model that forces them to address widely differing use cases,” said Rob Enderle, founder of the analyst firm Enderle Group.
Cloud companies also can apply economies of scale. Because their security investments benefit all of their customers, they can amortize their costs more efficiently. Patches and updates can also be applied across all of their customers, making each individual account more secure.
The fear that multitenant cloud environments are inherently less secure is also a myth. True, multitenancy provides for multiple customers sharing the same resources, but virtualization offers the same level of security as physical servers, and it’s nearly impossible for an attacker to reach the bare-metal hardware from a virtual machine, which is where the most serious damage can be done.
Finally, the reality is that businesses are far more vulnerable to internal threats than external ones. Forrester Research reported that 25% of security breaches are caused by malicious insiders and an additional 36% by employee mistakes. Lax password policies, phishing, and social engineering will compromise any IT system, regardless of where it is located. “As we saw with the Snowden and Sony breaches, even the most secure on-premise solution is vulnerable to bad security practices,” Enderle said. “Those practices can adversely impact local and cloud systems equally.”
Perhaps the biggest myth is the belief that security is in the hands of the cloud provider. Experts stress that security is a shared responsibility for which the customer actually has most of the responsibility. By applying six sound security practices, users can avoid more than 90% of the most common threats, whether they host the data or somebody else does.
- Start with good access control. Despite all the headlines about high-profile breaches, the top 100 passwords people use haven't changed much over the years, according Mark Burnett, a Utah-based security consultant who recently analyzed patterns in 10 million usernames and passwords. And it doesn’t matter how many firewalls you have if users willingly give their passwords to unknown callers posing as help-desk personnel. “The customer is still responsible for reasonable password and other access control regardless of the service provider and the location of the data center,” said Dan Kusnetzky, a veteran industry analyst and founder of the Kusnetzky Group.
- Use strong passwords and change them frequently. Users should also have a different password for each website or service. Password management services like LastPass, Dashlane, KeePass and 1Password make it relatively simple to create strong credentials and keep track of many different passwords. Most cloud providers also offer two-stage encryption in which a password is augmented by a verification code sent to a cell phone. Single sign-on in Microsoft Exchange or third-party products like Okta and Centrify can simplify identity management and harden security both on premise and in the cloud. Your cloud provider may even offer single sign-on as part of its service.
Make sure data moving between the company and a cloud service is encrypted. David Strom, a technology writer who specializes in networking and cloud security topics, recommends using a virtual private network (VPN), which provides excellent security and ensures that all authorized users get a base level of encryption.
Access to system-level resources should also be strictly controlled so that only a few people can provision new virtual machines or access data globally, Strom recommends. The IT organization should be aware of every virtual machine the company uses.
Make sure your cloud provider allows you to make local backups of your data. This isn’t always possible with some of the big consumer cloud services, so be sure to ask.
Finally, practice good endpoint control. Your data is probably more secure in the cloud than it is in your own data center, but that doesn’t matter if the devices your people use to access it are wide open. Sensitive data should be encrypted while in transit and again when stored on a PC or mobile device. Good password practices are just as important with smartphones and tablets as with business computers.
Security is far less about technology than it is process. That’s a fact no matter where the data resides.
(Read this CIO Executive Viewpoint from IDC senior vice president and chief analyst Frank Gens on how cloud can accelerate innovation in a business.)