In a British sketch series from the 1990s, people became accustomed to seeing scorching sunshine covering a weather map, year after year, until the day when a cloud appeared, sending everyone into panic. Those of us who work in the field of information security may have harboured similar thoughts about cloud services. However, times have changed, and companies understand the business opportunities offered by cloud services better than before, and that includes the information security department.
Although the speed, agility and efficiency of cloud services are clear benefits over traditional IT systems, a thorough risk analysis should not be forgone when cloud services are deployed. In addition to new opportunities, there continue to be factors that demand preparedness, although they may be different than before. So what should be kept in mind when using cloud services?
A precise division of responsibilities
The large cloud service providers comply with recognised international information security standards such as ISO 27001 and PCI DSS. The service providers' businesses are dependent on customers' trust, so they monitor their operating methods closely. Basic information security components are provided in the cloud, and these should be utilised.
However, it is important to remember that the service provider is only responsible for its own cloud service platform and for the security of its own operating methods (security of the cloud). In contrast, the user is responsible for protecting the data stored on the service from internal and external threats (security in the cloud). One simple way of thinking about the division of responsibilities is that you are responsible for what you own. The infrastructure is the service provider's responsibility, but you cannot shift the responsibility for stored data onto anyone else. So remember to protect your data appropriately, both technically and administratively.
Cost-efficient basic protection, additional security through encryption
A dedicated company data centre can be thought of as a house – the owner is fully responsible for keeping it secure. Houses can be made very secure using durable structures and alarm systems, but the costs may outweigh the benefits. Cloud services can be thought of as blocks of flats, where the costs of security solutions are shared among all of the residents. Your neighbour can access the stairwell but no other residents have the keys to your flat. You make most of the decisions concerning the security of your flat. You only have yourself to blame if you leave the door unlocked and the windows open.
In blocks of flats, the caretakers usually have a skeleton key, which enables them to access any flat in the event of an emergency or in accordance with agreements. However, the owners of flats trust the caretakers. In this analogy, the caretakers are cloud service providers such as Amazon, Microsoft or Google.
Some people may wonder whether the service providers are able to access the data stored in the cloud by using a "skeleton key" as in the analogy. From a technical standpoint, this may be possible, even if security processes are very well designed, but preparations can be made to combat this risk by using appropriate encryption. However, data security breaches targeting systems built in the cloud may be more likely than malpractice by the service provider. The damage done by a data security breach can also be mitigated by encrypting the data stored in the cloud, so one solution can mitigate several risks. Depending on the cloud environment, several workable alternatives are available for encryption, so the cloud service and the business criticality of the data will guide the selection of encryption and key management arrangements.
Incidents may occur, so make plans for recovery
One of the clear strengths of cloud services is the ability to recover from faults. Service providers have made major investments in continuity management, and failures affecting individual components – or even entire data centres – do not usually give rise to long service outages. All services sometimes suffer individual disruptions but users of cloud services are offered a substantial degree of fault tolerance by default. If a company built the same functions into its own data centres, it would need to make major investments, whereas cloud services spread the costs among a significantly larger user base.
Cloud services can also be used to back up systems operating in conventional data centres in almost real time. If a catastrophic incident occurs, the services can be started up in the cloud, minimising the time taken to recover and the costs involved. The transition to the cloud does not need to be carried out in one step – conventional data centre services can be supplemented with cloud services as the need arises. In terms of backing up and restoring data, the cloud provides the benefits of flexibility and reasonable costs.
It is also possible to prevent denial of service attacks using the protection provided by cloud services in a highly efficient and tailored way. However, this also requires the customer to take an active approach, although the most common attacks are usually prevented automatically by cloud services. The infrastructure required to prevent attacks is already in place in the cloud, so why not make use of it, particularly for business-critical services?
Look after access rights and remember to monitor service usage
When data stored on the cloud falls into the wrong hands, it is usually the result of inadequate information security procedures by the user and not an error by the service provider. Risks caused by users may include negligent maintenance of servers, inadequate user management or user accounts surrendered due to phishing.
A good example of an easy and practically free method of improving information security is to use multi-factor authentication (MFA). There are plenty of other cheap and easy means of improving other areas of information security significantly.
Cloud services also offer a wide range of management and monitoring tools, many of which can be used for no additional charge. Tools exist to facilitate work such as user management, authentication and monitoring potential attacks, as well as for monitoring different services. There are many maintenance-related procedures that may not immediately spring to mind but that can improve information security. For example, automating the maintenance and construction procedures for services or networks can reduce the risk of human error, while also reducing unnecessary sign-ins by administrators. The time saved on routine maintenance can be spent developing information security management procedures, information security training or perhaps a new business idea, discussed over an extra coffee break.
No service is ever 100% secure, but in-depth planning and risk management enable cloud services to reach figures that are just as good or even better than conventional data centre services. Cloud services and conventional infrastructure can just as easily be operated side-by-side to make the most of each type of service.
It should not be forgotten that even though technologies have changed, the basic principles of information security have remained relatively constant. The useful information security expertise that has been obtained and put to use with conventional infrastructure should not be thrown on the scrap heap when the switch to the cloud world occurs. Many of the methods and habits apply equally to the cloud, so there is no need to reinvent the wheel.
There is no need to forgo the new opportunities offered by cloud services on account of information security worries. Profitable, flexible and secure can nowadays be used side by side in the same sentence.