Wednesday, August 14, 2013

Ahead in the Cloud: Remaining secure with cloud computing

Rebecca Bailey
Senior PR & Marketing Executive
Egress Software Technologies Ltd.
Championed as a revolution in computing solutions, Cloud offers benefits for organisations across all sectors; however IT heads need to be switched on to the security issues around storing and accessing data in the Cloud.

Bringing the Cloud closer to home

The term ‘cloud computing’ is somewhat deceptive. Not only does stored data reside in servers based very firmly on the ground, but the phrase is also reminiscent of fluffy balls of cotton wool floating innocently overhead. Through its very name, therefore, Cloud creates distance between organisations and their data – a false sense of security that a user’s responsibility is removed purely because data isn’t being stored on their premise.

The reality, however, is somewhat different.

In a survey carried out by PricewaterhouseCoopers, only just over half of European businesses recognised data security as a major risk of cloud computing, begging the question of how well-informed organisations are about the potential threats of using Cloud.

The Cloud Security Alliance (CSA), meanwhile, has identified the ‘NotoriousNine’ threats posed by cloud computing in 2013. Headlining this list are:

  1. Data breaches
  2. Data loss
  3. Account or service hijacking

Data breaches

Information stored in the cloud is just as susceptible to data breaches – whether malicious or caused by human error – as that stored in on-premise servers. Information storage firm Evernote is one recent example of a malicious data breach affecting users’ personal information. Although the California-based company insists that there’s no evidence to suggest that payment details or content was breached, user names, email addresses and encrypted passwords were – causing untold concern to users and reputational damage to Evernote.

Human error, meanwhile, often occurs when using Cloud to share data with others. A lack of verification processes, for example, can lead to unintended recipients being able to access information. In addition, human error can cause data breaches through inadequate control over whether a recipient can share information, either electronically or in hard copy. The ability to restrict or revoke access is invaluable when sharing highly sensitive data, stopping users from forwarding, printing or even accessing information, as required.

So, how can Cloud data breaches be prevented?

It all hinges on knowing what legislation can be applied to your data. One aspect of this is the idea of ‘data residency’: where you data is stored and what jurisdiction it subsequently falls under. Secondly, be aware of the limits of this legislation – the US Patriot Act, for example, is not only applicable to data stored in the States, but also to organisations with a parent company located in the US and those using American subsidiaries for data processing.

Before procuring Cloud services, therefore, read up on any laws that your data or company might fall under. The recent revelations from the US involving the scale of the NSA’s programme of data surveillance and use of the Patriot Act in order to obtain information have demonstrated why this is so important.

Next decide on what information will reside in the Cloud and how secure it needs to be. Ensure that you have the correct level of access control – for example, data in the Cloud can be encrypted, so as long as users remember passwords and other authentication means, the data will be secure.

When sharing data using Cloud-based services, meanwhile, it’s important to maintain control. Some solutions will only secure data in transit; however more sophisticated encryption services can ensure that it is only accessed by the intended recipient and offer full control over what they can do with it.

Data losses

While permanent loss of data can be caused by physical disasters – such as fires, floods or earthquakes – software and human error are also culprits. Consequently, a proportion of data loss is actually caused by preventable means, such as users forgetting passwords or accidental deletion by the provider.

And yet it really doesn’t matter who’s to blame – service provider or customer – the end result is the same: reputational damage and, consequently, revenue loss.

Again, preventing permanent loss of data comes back to the service level agreement and data residency. You need to know that your Cloud provider is backing up the data they’re storing, as well as where that data is backed up. You need to also contractually ensure that the backed-up data is monitored and able to be restored with just a few clicks.

Account or service hijacking

Duplicated credentials and passwords, in addition to more ‘traditional’ methods such as phishing and exploiting software vulnerabilities, all pose a risk to data stored in the Cloud. Thus cloud computing simply adds another avenue for hijack. As acknowledge by the CSA, hijackers can access information to, amongst other activities, eavesdrop on information and transactions, as well as direct customers to illegitimate websites.

However, steps can be taken to mitigate this risk.

As an organisation, prohibit the sharing of credentials between individual users, as well as with service providers. Similarly, employees should be discouraged from duplicating usernames and passwords, while further protection can be provided by multi-layer authentication, preventing one hijack leading to another elsewhere. Remember to always remain vigilant of unauthorised activity – the sooner this is detected, the sooner it can be dealt with. Finally, when engaging your cloud provider, make sure you have a full understanding of their security policies and service level agreements.

A switched-on approach

Cloud requires a more managed approach than some firms have previously taken. However, it remains one of the most cost-effective and efficient revolutions in computing – and taking a switched-on approach will realise these benefits, while also mitigating any risks to data stored in the Cloud.

At the centre of this remains the notion that 'remote access' doesn't mean 'remote responsibility'. 

No comments:

Post a Comment