Cloud computing has become a valuable and increasingly popular approach to digital technology that includes on-demand self-service, broad network access, software as a service, and much, much more. As businesses continue to explore cloud options for a number of applications, it’s critical that they assess and align specific needs with the appropriate cloud vendor and service early in the cloud transition. Misaligning them, or underestimating cloud computing risks can spell trouble.
Clouds platforms and services available from technology giants including IBM, Google, Amazon, Salesforce, SAP and Oracle provide formats of IT service that offer users significant advantages over old-school, on-premises data centers.
For example, the users’ capital costs are lower and better matched to actual consumption; no hardware or software installations are required. Cloud-based IT infrastructure provides customers with rapid access to computing power whenever it’s needed.
Beyond that, the most significant misconception is that cloud services are protected 24/7 armies of security experts, making them virtually bullet-proof. That vision of an unimpregnable fortress, safeguarding client data against all adversaries, is comforting – but it’s misguided.
Using cloud services actually carries its own set of risks – risks that are unique to the cloud provider’s own operating environment, as well as other risks associated with traditional data centers.
Clients who don’t recognize those risks and accept their own responsibilities for mitigating them, are almost as likely to experience data loss and compromise as they were before migrating to cloud operations.
Understanding cloud computing risks
Understanding and managing these shared cloud computing risks is key to successfully utilizing a cloud service. And it is equally important to recognize the cloud is not a monolithic concept; clouds vary both in who can use them and in what they do.
For one thing, just as in meteorological cloud formations, there are also different computing cloud configurations.
They include private clouds, which are hosted internally and used by a single organization; public clouds, which are commercial ventures available to the general public; community clouds which are only accessible to specific groups of users, and hybrid clouds which include elements of two or more such arrangements.
Cloud platforms and services are owned and operated by different companies, each with their own policies, prices, and resources.
There are also differences in the types of computing services they offer. Infrastructure as a Service, or IaaS, controls user access to computing resources – servers, storage, network and so on – which are actually owned by the client.
Platform as a Service, or PaaS, controls user access to the operating software and services needed to develop new applications.
The third and most popular cloud operations product is Software as a Service, or SaaS, which gives users direct access to the client’s software applications.
For example, once they’re migrated to the cloud, client organizations lose a good amount of visibility and control over their assets and operations.
The monitoring and analysis of information about the company’s applications, services, data and users never loses importance, but it will need to take a different form than it did when the client’s own network monitoring and logging procedures were in place.
Before a client’s data ever gets to the cloud, it travels across the internet. Unless the user’s network and internet channel are secure, powered by strong authentication standards and encrypted data, information in transit is susceptible to exposure.
Vulnerabilities in shared servers and system software used by public clouds to keep the data of multiple tenants separate can be exploited, enabling an attacker to access one organization’s data via a separate organization and/or user.
Permanently removing sensitive data that a client wants securely deleted is difficult to confirm because of the reduced visibility inherent in cloud operations, which frequently includes data distributed over an assortment of storage devices. Any residual data can become available to attackers.
If a cloud service provider goes out of business or fails to meet your business and/or security needs, transferring data from that operator to another can be more costly in terms of time, effort and money than it was to initially become a subscriber. Additionally, each provider’s non-standard and proprietary tools can complicate data transfer.
Cloud operations are complicated by their technology, polices and their implementation methods. This complexity requires the client’s IT staff to learn new ways of handling their information, because as complexity grows, so does the potential for a data breach.
Insider abuse has the potential to inflict even greater damage on the client’s data than it did before due to the cloud’s ability to provide users with more access to more resources. Depending on your cloud service, the forensic capabilities needed to trace and detect any malicious insider may not be available.
The loss of stored data due to an accidental deletion or a physical catastrophe such as a fire or earthquake, can be permanent. A well thought out data recovery strategy needs to be in place, but the client and service provider must work together to establish a secure and effective process.
Managing user identities – carefully controlling users’ identity attributes and regulating their privileged access – remains an equally challenging task in cloud operations as it ever was in on-premises environments. Due to the nature of cloud services, the challenge in some cases can be much greater than in on-premises environments.
Providing appropriate levels of secure access for different user roles, such as employees, contractors and partners is critical to protecting your cloud environment, making Identity Governance a high priority when migrating to the cloud. Cloud computing and security should constantly be thought of as joined concepts, not separate silos.
Cloud operations provide a variety of valuable avenues to exploit. And while the childlike faith that cloud platforms and services are immune to malicious attacks may be touching, it’s simply not true. Vigilance is equally, if not even more important, than it was before migrating to the cloud.