There are two key factors driving the development of cloud services. The first is cost: the economies of scale that can be achieved by storing data or hosting applications in the cloud can result in significant savings for any business. This includes savings in capital expenditure and the cost of maintaining in-house systems. The second is flexibility. Not only can data be accessed any time, any place, anywhere – and from any device, including laptops, tablets and smartphones, but the cloud also allows provision to be as elastic as the demands of a business can be.
However, as cloud adoption increases, it's likely that the number of security threats targeting cloud systems will also grow. The concentration of data in one place, belonging to multiple 'tenants', makes cloud providers an attractive target for cyber criminals wishing to steal, modify or erase huge volumes of data in one fell swoop. It also makes them a target of those seeking to disrupt business activities to make a social, political or economic point - so-called 'hacktivism'. Recently, trust in cloud storage has been undermined somewhat by the Snowden leaks and growing fears about privacy.
Cloud security (as for enterprise security in general) is not simply about deploying technical defences. It's clear from the targeted attacks we have seen in recent years that cyber criminals consider humans to be the weakest link in a company's security chain. Many attacks, notwithstanding their technical sophistication, begin by 'hacking the human', an example being tricking staff into disclosing information that allows the attackers to penetrate corporate systems. This is likely to prove just as successful a lever in launching attacks on cloud systems.
After all, cloud providers, like organisations of all kinds, employ sales, marketing and other non-technical staff (and we know that even technical staff can be duped into doing something that jeopardises corporate security). There have been a number of well-publicised attacks on cloud providers in recent years – victims include Google, Sony, LinkedIn and Dropbox . The Sony and Dropbox breaches highlights a key issue that is of concern for businesses and consumers alike – the dangers inherent in recycling passwords for multiple online accounts. If one account is compromised, other accounts are then at risk.
Another problem is that as businesses outsource the handling and storage of their data, they may also tacitly out-source responsibility for the security of the data. In fact, it is the business' responsibility if their provider's systems are breached, and their data or their customers data is exposed.
So before out-sourcing to a cloud provider, businesses need to assess the potential risks in just the same way that they would if they were managing internal business processes and systems. This includes staff education: after all, if an employee's login details are phished, this provides cyber criminals with access to corporate data, wherever it's stored. There are also other issues that need to be considered. These include where the company's data will be stored geographically, the legal jurisdiction that will apply to the data, what steps will be taken to secure the data on their provider's systems (including how it will be secured from other tenants of the cloud provider) and the logistics involved in migrating the data to another provider in the future.
Organisations should develop a corporate security strategy as the foundation of all aspects of security in the enterprise. Companies must then review it regularly to take account of new technologies, business processes and cyber-crime methods. By having a flexible strategy that can adapt to the above, any business can ensure a smooth and secure transition to the cloud.
Contributed by David Emm, senior security researcher at Kaspersky