You will always hear news reports about high profile data breaches of cloud based systems. But, do cloud environments have more security issues, or is it that we only hear about these attacks because they involve big household names? In this article I will address the security concerns of cloud computing and argue that cloud environments are no less secure than traditional on premise systems, and explain why. I will also discuss some of the mitigation and contingency strategies that businesses should be taking regardless of where they keep their data.
Although I’ve titled this article 5 Key Security Concerns, in reality there are only two:
Anything else is just a subset of these two, but worth separating out to discuss in more detail.
1 – All the ways you can lose your data
Ever since mankind started keeping data he has had to take measures not to lose it. As soon as people started keeping information on computers they realised they needed to back it up so they could restore it in the event of a disaster, hardware failure, or accidental deletion.
Here are just some of the ways you can suffer from data loss on traditional on premise systems:
- Data stored on a file server but not backed up, file server loses its data from disk failure, malware, user error, software error, fire, flood or theft.
- Someone breaks into your premises and steals your servers
- Ransomware encrypting the server
- Backups not checked for errors and simply won’t restore
- Data restore never tested, doesn’t work when disaster strikes or personnel don’t know how to restore it.
- Tapes or disks lost or stolen from wherever they are kept offsite overnight.
- Cloud backups working but are unacceptably slow at restoring data which could dramatically affect a business’s profits and reputation.
- Application security is weak allowing users to either access data they shouldn’t be able to, or delete data inadvertently.
If I could only offer one piece of advice it is: Back up your data, and keep the backup offsite. It is your only get out of jail card. Equally as important, check you can restore your backups, practice recovering from a disaster, train your IT personnel, document the process, and if you can, backup the backups, as more and more viruses are now trying to attack the backup systems.
Of course, cloud environments have their own vulnerabilities and the above list will, to a certain extent, apply to cloud systems, so the message still applies, and if you can, arrange for separate backups of your data.
How cloud services protect your data
Cloud based services will be run from large commercial data centres. The data centre will either be owned by the cloud provider e.g. AWS, Google, or Microsoft’s Azure; or in the case of cloud apps they may use a 3rd party commercial data centre with their own security teams. Either way the data centre will have a number of security solutions to mitigate against some of the risks mentioned above.
- The data centre will be physically secure with barred windows (or no windows), 24-hour security teams, restricted card key access to data centre areas, entry to the site has to be pre-booked from a pre-registered phone number and require photo ID. Individual racks containing servers and switches will be padlocked.
- Data is protected from fire and flood using technology like smoke detectors that can detect particles of smoke from over heating wires before they have caught fire, and long before any human could smell burning. Fire suppressing gas will be used to extinguish fire without risk to people or damaging equipment. Underfloor flood alarms will detect water before it becomes an issue.
- Data centres also help to prevent temporary interruptions to data availability by having multiple Internet connections, multiple banks of uninterruptible power supply (UPS) batteries, multiple power feeds and multiple diesel generators that kick in within seconds of a power cut before the UPS batteries start to drain.
How many of these security solutions does your traditional on premise server have?
Cloud applications will be used by thousands, sometimes millions, of users. The cloud service provider will have enterprise level backup systems and possibly replication of data from one site to another. Because they have the benefits of economies of scale this means a reduced cost for individuals or businesses
If you’re hosting a server in the cloud then you will need to backup the server and data either using the cloud providers own backup system, or a third-party cloud backup solution or, better still, both.
Remember data security is your responsibility. Did you know, if you are running something like OneDrive that is synchronised to your PC, if your PC gets encrypted by ransomware the chances are that so is all the data in your cloud based OneDrive. OneDrive is not a suitable backup solution. Make sure you use a third-party cloud backup solution that allows you to restore from previous days.
2 – Data theft and data breaches
When data is stolen as opposed to lost then you still have your data but someone else has stolen a copy of it. The motivation behind data theft can be many; sometimes it is simply to extort money by way of a ransom, or to steal credit card numbers. Web sites can be hacked so that the usernames and passwords can be sold on the dark web. Data theft can also be for industrial espionage, stealing trade secrets. Unfortunately, nowadays there are state backed cyber-attacks against other nations for political reasons. Some ransomware attacks have taken down systems globally as collateral damage, caught in the cross fire of one state trying to destabilise another.
So, are cloud services more vulnerable? I would argue not. Certainly, the impact of a successful cyber attack on a cloud service will affect more people and businesses, but when considering risk this is just the impact not the probability. Cloud services will have the resources to deploy enterprise level firewalls, web filters, anti-malware and other security solutions. Systems which the average small business simply cannot afford.
Of course, pretty well every business runs the risk or data breaches simply because they have to. Businesses cannot operate without email or internet access. 90% of data breaches start with an email; phishing emails that dupe the reader into entering the username and password into a false website are becoming more and more sophisticated. A phishing email with nothing more than a link to a dodgy website doesn’t contain a virus in the email so won’t be picked up by Anti-Virus software. It doesn’t matter how sophisticated and expensive the perimeter firewalls or the anti-virus software, if your users inadvertently hand over their passwords then your data is as good as gone.
One solution to this is Two Factor Authentication (2FA) aka Multi-Factor Authentication (MFA). MFA works be by checking something you know (your password) and something you have, such as your deskphone, smartphone, or a hardware token. MFA is becoming main stream for many cloud environments, and can also be deployed for traditional on-premise infrastructure.
Not only does MFA prevent an attacker using your password but it also alerts you to the fact that your password has been stolen, allowing you to change it quickly.
3 – The issue of compliance
You don’t want to lose your data or have someone else steal it, that’s obvious, but if you are looking after other peoples financial or medical information, sensitive data, specifically sensitive personal data, then the regulatory authorities also want to make sure your security approach is robust and adhered to. Satisfying the checklist of requirements to comply with regulatory bodies is an expensive business with on premise infrastructure. Here’s where cloud computing can be your best friend.
Providers take the issue of cloud security seriously, and will already have gone through the pain of compliance on your behalf, they need to in order to attract and retain customers from financial services or health care sector.
Look for cloud providers who are certified for ISO 27001 for their Information Security Management system. Importantly, check they don’t just state that “their data centre” is certified. Yes, the commercial data centre they may use needs to be ISO 27001 certified, but they are just the bricks and mortar, the service provider maintaining the servers are security infrastructure needs to be certified as well.
4 – The many forms of Cyber Attacks
We’ve discussed how phishing emails can be used to find out your passwords for online services, but there are various ways cyber criminals can use to try and get at your data.
Viruses and Malware
Probably the most common method attackers use is to try and some form of malware on users workstations. These arrive as email attachments, or via websites that users were duped (via email) into visiting. Targeted attacks may arrive on free USB drives someone picked up at a trade show. Malware may include keystroke logging software to learn passwords, or remote-control software.
These security issues can affect local infrastructure equally to cloud based. The advantage cloud security has here is usually a higher grade of anti-virus, managed updates to operating systems hosted in the cloud and robust backup and restore procedures.
While a fairly general term hacking often uses known vulnerabilities in software, operating systems and hardware. The best, and cheapest defence, is to ensure you are always on supported versions of operating systems, and to make sure you always have the latest security patched and updates. This applies to on premise infrastructure and workstations as much as cloud infrastructure. If you have a managed cloud platform make sure they look after updates and will move you on to supported operating systems when required. If using servers in AWS or Azure make sure you implement automatic updates or have a robust procedure to manage critical updates.
No, it’s not a strange pastime, network sniffing is a form of hacking where attackers use equipment connected to the same internet network you are on to capture and see all the data packets being transmitted from your device. The good news is it is easy to avoid. Ensure that whatever service you connect to is using strong encryption to hide any information being passed between you and the service from prying eyes. Use secure enterprise VPN equipment if connecting to your on-premise infrastructure and make sure cloud providers have data encryption using SSL i.e. https security on their sites.
Re-use of Passwords
OK, we’ve all done it, used the same password for lots of different websites. What does it matter if the website where you purchased cat toys for Christmas get hacked, as long as they don’t have your credit card details? Well if they do get hacked, and the passwords sold to other hackers, and you’ve used the same password for your email account then the hacker could be requesting password resets for everything you connect to. Banks, Social Media, the works.
One of the biggest extortion scams going around is hackers emailing you with your favourite password to show they have it (the one they got from the hacked website that didn’t patch its software) then blackmailing you claiming to have compromising photos from your webcam. Which, of course they don’t, but a surprising number of people pay up. Of course, those that do are then sold on again as a “suckers list” so more people can try and scam them.
Our advice is, regardless of local or cloud based services, always use complex passwords, different for every site, use a combination of letters, numbers, special characters, and make them as long as you can. Then use a secure password manager app and give up trying to remember them.
Phishing emails are currently a common form of social engineering, duping a user into typing their credentials into fake websites. Some targeted attacks may have people calling employees pretending to be from the IT department and get them to hand over their username and password.
Another common social engineering attack is where criminals obtain the password for senior managers email and then use it to send emails to finance department users, last thing in the evening, asking them to pay money into an account urgently so they don’t miss a deal. The high-pressure situation and the unwillingness of some employees to challenge the boss makes this type of fraud more common than you would expect.
Attacks against company web sites
Although not directly stealing your data or losing it, attacks against websites and cloud apps may prevent access to your data for a short period of time. Criminals may attack websites for ransom, but may also be competing businesses or disgruntled ex-employees. Some industries, political parties or government institutes may be the target of pressure groups or cyber terrorists.
Attacks against websites may be sophisticated direct hacks, or Distributed denial of service (DDoS) attacks where hackers use malware distributed to thousands of PCs spread across the internet and all set to try and access a website at the same time leading it to crash under the load.
5 – Threats from Insiders
Possibly the most worrying and hardest to control is threats posed by the people who work in your company. No one wants to think they have a rogue employee but these threats don’t have to be malicious. How many USB sticks or laptops have been left on the train containing sensitive data?
Employees or contractors with malicious intent will find it much easier to cause problems, and careless employees, or those simply ignorant of the security concerns can cause equal damage. A real classic example is a customer of ours whose IT support person opened an unsolicited email containing a .pdf attachment, ignoring the warning from Outlook to be careful about opening attachments, ignoring the warning from Adobe about opening attachments and then the zero day ransomware virus encrypted his company server. Luckily, we could restore it from backup and they were up and running again in a couple of hours but this guy should have known better.
Many cloud security providers offer training for employees and security teams, some provide random secret testing such as pretend phishing emails so you can spot the weak links in your team before a real cyber attack causes problems.
Companies need to establish and regularly re-evaluate their security approach, and data security policies to minimise the risk from internal threats.
Consider strong access controls to specific data. If an employee doesn’t need to see a particular set of data, don’t allow them access. Use data encryption on file servers to protect them from advanced insiders really intent on stealing data. Ensure in built software application security is reviewed and applied correctly.
Applications themselves need to have security built in, and here is where cloud applications may trump over legacy ones as you can control and manage who has access and to what.
How to sleep at night
Data security is a very big challenge and needs to be taken seriously. In reality cloud systems and cloud apps are no less risky than on premise, and in most cases, they are a lot more secure and often at reduced cost. It is in their interest to protect you from data loss or data breach. Yes, you will undoubtedly hear about some major data breach from a big cloud provider; but what you don’t hear are the thousands, if not millions, of data breaches, ransom ware attacks, thefts, fire and flood damage and so on that affects traditional on-premise systems that simply cannot hope to have the level of security, resilience and recovery systems that cloud providers have.