It’s a question that business leaders must ask when considering adopting cloud technologies – is your data going to be secure in someone else’s hands?
There’s no denying that securing applications and data across an increasingly diverse range of computing environments is challenging. On the one hand, today’s business leaders are under constant pressure to innovate and keep up with a rapidly evolving market. On the other, security presents a constant thorn in their sides in an age when major data breaches make headlines almost every day. But, while the naysayers might dismiss cloud technologies as disruptive and inherently less secure than traditional in-house computing, they’re missing an important point.
The reality is that it’s generally not the cloud itself that’s the problem. As with almost all data breaches, the human element is usually to blame. This might include factors such as inefficient risk assessments, mismanaged access controls, poor data redundancy and a variety of other threats, most of which stem from within the organization. The common misconception that the cloud is the source of these challenges is why software-as-a-service has yet to become an established and trusted way of doing business in many parts of the world.
Dispelling the myth of cloud (in)security
Let’s get one thing straight: the world’s major cloud data centres – operated by the likes of Amazon, Google and Microsoft – are some of the most secure environments on the planet. This really shouldn’t come as a surprise, since these companies are some of the most powerful in the world. They have access to the financial resources, expertise and bleeding-edge tech on a level that few organisations could ever dream of having. Not only do they have 24/7 physical controls like security guards, video surveillance and perimeter fencing akin to that of a maximum-security prison, they also offer administrative and technical controls to safeguard the data in their care from hackers.
Information security and integrity are at the very core of what these major technology providers do, hence they strive to eliminate every single point of failure with built-in redundancies and automated rollovers. They distribute data across many different machines in many different locations to protect it from threats like natural disasters and hardware failures.
The cloud potentially offers improved security from an administrative perspective by reducing the need for customer-controlled security layers. Some cloud providers and server colocation vendors also offer a fully outsourced security operations center (SOC), which is ideal for smaller businesses, who are often targeted en masse by threats like phishing scams and malicious advertising. Even in cases where migrating to the cloud doesn’t provide improved information security, the greatly reduced capital expenses can offer more financial control to invest in security.
So, where do the threats come from?
Now, I’m not saying that the world’s biggest data centres are impenetrable fortresses – but they’re the closest thing to it. Why is it then, that major data breaches targeting cloud-hosted digital business assets are always making headlines?
The weakest link isn’t the technology – it’s the people. This is often the case when managing complex, hybrid cloud environments in which businesses use a blend of public infrastructures (like Amazon Web Services (AWS)) and an on-premises or hosted private cloud consolidated across a wide-area network (WAN). However, with the right approach, the hybrid cloud brings multiple benefits, such as decreased capital costs and greater flexibility.
Here are the main threats to hybrid cloud security you need to overcome:
Mismanaged access rights
One of the greatest advantages of cloud-hosted resources is they’re accessible from any device with an internet connection. This can also be its greatest drawback in an age when social engineering attacks dominate the world of cybercrime. After all, cybercriminals aren’t always stereotypical hackers staring at lines of code whizzing across a monitor. Instead, they increasingly rely on tactics of subterfuge and manipulation to encourage their victims to surrender confidential information, such as login details. Social engineering tactics are often used to put their malicious code to work.
To overcome these risks, IT administrators must enforce multifactor authentication (MFA) to reduce reliance on passwords. This way, those accessing the system, particularly from an unknown device or network, will need to verify their identities with a secondary authentication method. This might be a fingerprint scan or a temporary security token like an SMS code. Because the secondary verification method is dynamic, or an innate characteristic of the user (like a retinal scan or fingerprint), it’s far better protected from social engineering attacks.
Hybrid cloud deployments depend on application programming interfaces (APIs) to ensure the interoperability between different infrastructures – such as in-house data centres, public cloud resources and hosted private clouds. These serve as conduits for ensuring the seamless flow of data between the two systems to provide an uninterrupted experience for end users. But when unprotected, these API endpoints can leave sensitive data exposed. This vulnerability is often exploited when data is being transmitted across insecure devices and connections. Other attacks may exploit misconfigured APIs to coerce the system into doing something that would lead to its compromise. For example, attackers started exploiting misconfigured Kubernetes APIs to issue commands to it; in doing so, they downloaded and launched a malicious payload from outside.
Since APIs are effectively gateways – access points into a public cloud application or service – IT administrators need to take extra steps to secure the data that flows through them. The easiest way to protect it is to ensure that data never leaves an endpoint unencrypted. This way, even if a hacker does get their hands on data exposed by a vulnerability in the API, it will be unusable to them. Today’s AES-256 encryption algorithms would take 3×1051 years to crack without knowing the encryption key, by which time even the youngest and most patient hacker might just give up.
Insecure third parties
In hybrid cloud environments, your vendors are an additional source of risk. 181 third-party vendors access the average business network every week, leading to two-thirds of companies experiencing data breaches linked to one of their vendors. Unfortunately, some cloud vendors are vague when it comes to critical factors like data ownership and governance. They may not have the necessary controls in place to ensure that your data is safe during its migration to the cloud or when it’s hosted on their own servers.
To reduce the substantial risks posed by third parties, businesses must carefully vet any cloud vendors they choose to work with. Enterprise managers must always verify data ownership and security controls and ensure that everything is clearly defined in their service level agreements (SLAs). They need to know exactly what the provider does with their data, which access controls and permissions they have in place, and which resources they provide if something goes wrong. Any agreement should ideally be reviewed by an attorney before signing.
Breaches of regulatory compliance
Even if you have all available security measures in place when migrating data to the public cloud, there’s still the matter of compliance. Many data-processing regulations, for example, require data belonging to citizens of a particular country to be stored in the same territory. In some ways, this contradicts the very ethos of the cloud as a decentralized and distributed computing environment. To further complicate matters, most cloud providers cannot guarantee the physical location of your data, although there are some exceptions: AWS, for example, can work in regional mode to avoid moving your data out of the territory.
Fortunately, hybrid cloud deployments are ideally suited to highly regulated industries, since they provide more control over where data is physically stored. For example, a healthcare provider subject to HIPAA and HITECH regulations might keep patient health information (PHI) in a private cloud such as an in-house data centre or server collocation facility. A GDPR-compliant company might do the same to ensure that customer data remains in the EU, while business applications are moved to the cloud. In the end, the hybrid model gives you more control over where your data is stored and how it’s protected.
Hybrid cloud computing – the first step towards innovating at scale
The key to successful hybrid cloud deployment is a security-first approach that provides IT administrators with full visibility into their digital assets. With the right management solutions and software layers, enterprises can build a single cohesive environment that incorporates the best of both worlds. A hybrid cloud deployment is no more or less secure than on-premises virtualisation, but with the right approach, it can become even more secure. All it takes to get started is to select a cloud security product that’s scalable and adaptable to your needs.