While there are several questions about the security of data transmitted and stored in the cloud, here we address three chief concerns of businesses making the move.
1. Is the public cloud secure?
When you’re in a cloud with a shared hypervisor, what kinds of exploits are possible that can expose information in different virtual machines? Recently Brian Prince of Dark Reading explored the viability of exploiting private keys from other users from within a shared hypervisor. (See our response on this topic, here.) It’s not theoretical, and that’s what counts. Granted, this was achieved on one kind of hypervisor, but the possibility of such a reality should be convincing to any decision maker that such data breaches are unacceptable to the business. The hypervisor may be patched, helping achieve a greater level of security… or it might not.
Even in a dedicated environment, in comparison, you’re still vulnerable if you’re running an app or data in the cloud and you don’t have the security focus to begin with – i.e., you could be running something in private cloud and still have many more security holes than the possibility of a hypervisor attack in the public cloud. The major difference, besides being more isolated in a private environment is that someone perpetrating such an attack in the public cloud would have to know where you servers are physically located in order to be effective.
In the same way that any operating system is going to have issues (see Microsoft), if people want to deal with security in-house – patching the OS and the hypervisor, having a dedicated team that implements all best practices tracks and monitors issues – it is entirely possible to do, but presents a huge expense. Most companies will not have the resources to do this.
Yes, there are risks associated with the cloud model of IT compared to a dedicated, in-house infrastructure. But they are not worse risks, per se — they are only different risks. Working with a managed service provider (MSP), for example, allows you to access cloud technology without having to hire, train, and maintain the in-house staff to achieve the desired level of security. With an MSP, you can often improve upon security checks since their staff is tapped into how the security tools being used are actually developing, and can proactively recommend better solutions.
If you are really worried about someone gaining access to your cloud in the public environment, then a dedicated, private cloud can provide a baseline separation of physical machines that would provide functional isolation of customer data (but would require further security measures to ensure complete safeguarding).
2. Does losing control of cloud usage present a threat to security?
The public cloud is an amazing resource, and is quickly becoming the jump-off point for many different business units innovating at unprecedented speeds. However, without monitored usage and approvals, an organization can spin out very quickly and the decision maker can swiftly lose control of which group is using what cloud for what end. It will be difficult to know what has been done, what was absolutely necessary, and what the total spend was, which makes predicting future costs much more difficult.
Even if people are comfortable with security, there is a control fear associated with costs, as well as who is doing what with regards to where data is being used, how it’s been used, and ultimately, if it is vulnerable. Many companies are now offering services that allow the enterprise to monitor what business unit is using which service, enable them to spin up more resources from a centralized location, and reduce resources being deployed.
Do you have a vendor that can provide fixed costs, or at least more predictable costs? Some products may sell this in their marketing pitches, but often rely on cloud usage with minimal checks. With an MSP, companies can access a broader range of cost-controlling mechanisms and processes, all matched with technical support to proactively monitor usage. There are also a number of services that will plug directly into Amazon’s APIs and provide real-time reporting on usage. These services can also provide projections to help match spend to strategizing around future usage.
Additionally, these services can help ensure that you know which departments are using cloud, and that data being placed in the cloud is transmitted, stored, and used properly. If data contains any personally identifiable information, or anything else deemed proprietary, varying degrees of compliance must be implemented within the cloud architecture and associated processes. This comes with extra cost, but where data is concerned, not taking the full stock of available measure to achieve security and protection can seriously damage a business down the line.
3. Can issues around uptime impact security?
Even Netflix goes down. However, just because large companies are affected by cloud outages doesn’t make the issue of uptime any less important to customer data.
Did you use the right blend of resources when a service or application was launched in the cloud? Did you test your systems to understand where vulnerabilities could surface? Did you ensure proper redundancy and fail overs so that no data will be lost in the case of another Superstorm Sandy?
Many companies can become attached to certain clouds (like Amazon) without matching that usage with the proper safeguards and redundancies. But when Amazon goes down (and it will go down), how often can a business say “It wasn’t us, it was Amazon” before it loses credibility and customers?
Interestingly, the very question of maintaining uptime for mission critical websites and applications not only poses serious questions around customer data security in and of itself, but highlights the potential threat to client relationships that would make data security in the cloud a necessary conversation in the first place.
Have you planned a proper disaster recovery contingency for your business? Are your business continuity needs being met? Are you compliant in all your failover locations? A seasoned MSP can provide a high degree of guidance in these areas, along with helping you achieve data security goals in the cloud. In the case of Sandy, many companies suffered beyond the initial storm damage since the data they were storing about their customers was compromised or lost altogether. Having a cloud partner who can provide best practices along with an experienced technical staff in such situations is integral to achieving both security and happy clients.
By Jake Gardner