Trial Today Get in touch
close
Wednesday August 14th 2013 | 11:20

Ahead in the Cloud: Remaining secure with cloud computing

Championed as a revolution in computing solutions, Cloud offers benefits for organisations across all sectors; however IT heads need to be switched on to the security issues around storing and accessing data in the Cloud.
 
Bringing the Cloud closer to home
The term ‘cloud computing’ is somewhat deceptive. Not only does stored data reside in servers based very firmly on the ground, but the phrase is also reminiscent of fluffy balls of cotton wool floating innocently overhead. Through its very name, therefore, Cloud creates distance between organisations and their data – a false sense of security that a user’s responsibility is removed purely because data isn’t being stored on their premise.

The reality, however, is somewhat different.
 
In a survey carried out by PricewaterhouseCoopers, only just over half of European businesses recognised data security as a major risk of cloud computing, begging the question of how well-informed organisations are about the potential threats of using Cloud.
 
The Cloud Security Alliance (CSA), meanwhile, has identified the ‘NotoriousNine’ threats posed by cloud computing in 2013. Headlining this list are:
 
  1. Data breaches
  2. Data loss
  3. Account or service hijacking
Data breaches
Information stored in the cloud is just as susceptible to data breaches – whether malicious or caused by human error – as that stored in on-premise servers. Information storage firm Evernote is one recent example of a malicious data breach affecting users’ personal information. Although the California-based company insists that there’s no evidence to suggest that payment details or content was breached, user names, email addresses and encrypted passwords were – causing untold concern to users and reputational damage to Evernote.
 
Human error, meanwhile, often occurs when using Cloud to share data with others. A lack of verification processes, for example, can lead to unintended recipients being able to access information. In addition, human error can cause data breaches through inadequate control over whether a recipient can share information, either electronically or in hard copy. The ability to restrict or revoke access is invaluable when sharing highly sensitive data, stopping users from forwarding, printing or even accessing information, as required.
 
So, how can Cloud data breaches be prevented?
 
It all hinges on knowing what legislation can be applied to your data. One aspect of this is the idea of ‘data residency’: where you data is stored and what jurisdiction it subsequently falls under. Secondly, be aware of the limits of this legislation – the US Patriot Act, for example, is not only applicable to data stored in the States, but also to organisations with a parent company located in the US and those using American subsidiaries for data processing.
 
Before procuring Cloud services, therefore, read up on any laws that your data or company might fall under. The recent revelations from the US involving the scale of the NSA’s programme of data surveillance and use of the Patriot Act in order to obtain information have demonstrated why this is so important.
 
Next decide on what information will reside in the Cloud and how secure it needs to be. Ensure that you have the correct level of access control – for example, data in the Cloud can be encrypted, so as long as users remember passwords and other authentication means, the data will be secure.
 
When sharing data using Cloud-based services, meanwhile, it’s important to maintain control. Some solutions will only secure data in transit; however more sophisticated encryption services can ensure that it is only accessed by the intended recipient and offer full control over what they can do with it.
 
Data losses
While permanent loss of data can be caused by physical disasters – such as fires, floods or earthquakes – software and human error are also culprits. Consequently, a proportion of data loss is actually caused by preventable means, such as users forgetting passwords or accidental deletion by the provider.
 
And yet it really doesn’t matter who’s to blame – service provider or customer – the end result is the same: reputational damage and, consequently, revenue loss.
 
Again, preventing permanent loss of data comes back to the service level agreement and data residency. You need to know that your Cloud provider is backing up the data they’re storing, as well as where that data is backed up. You need to also contractually ensure that the backed-up data is monitored and able to be restored with just a few clicks.
 
Account or service hijacking
Duplicated credentials and passwords, in addition to more ‘traditional’ methods such as phishing and exploiting software vulnerabilities, all pose a risk to data stored in the Cloud. Thus cloud computing simply adds another avenue for hijack. As acknowledge by the CSA, hijackers can access information to, amongst other activities, eavesdrop on information and transactions, as well as direct customers to illegitimate websites.
 
However, steps can be taken to mitigate this risk.
 
As an organisation, prohibit the sharing of credentials between individual users, as well as with service providers. Similarly, employees should be discouraged from duplicating usernames and passwords, while further protection can be provided by multi-layer authentication, preventing one hijack leading to another elsewhere. Remember to always remain vigilant of unauthorised activity – the sooner this is detected, the sooner it can be dealt with. Finally, when engaging your cloud provider, make sure you have a full understanding of their security policies and service level agreements.
 
A switched-on approach
Cloud requires a more managed approach than some firms have previously taken. However, it remains one of the most cost-effective and efficient revolutions in computing – and taking a switched-on approach will realise these benefits, while also mitigating any risks to data stored in the Cloud.
 
At the centre of this remains the notion that 'remote access' doesn't mean 'remote responsibility'. 

More from our bloggers


Previous Article
Fax faux pas – does the Bank of Scotland ICO fine signal a harder line approach to DPA policing for the Private Sector?
Top Story
What is “human layer security”?
Next Article
Buying British: Data security in the Cloud and the effect of PRISM

Labels: data security, cloud

footer_cesg_2018_258x100 footer_skyhigh_89x100 NATO Common Criteria footer_bsi_iso_178x100