Article by my colleague Anthony Caldwell.
This article describes some of the issues associated with security in cloud computing where a successful breach of a cloud computing facility could yield a lot of sensitive corporate data. While encryption of data at rest and due diligence when selecting cloud service providers is laudable, it is recommended that companies considering a move to cloud-based solutions create and implement policies that address such concerns sooner rather than later.
Climate Change to Climate Control: Securing the Cloud Computing Environment.
Back in 2012, FBI Director Robert Mueller told a gathering of security professionals RSA’s annual conference in San Francisco that “There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again”. Recently, a climate of change has seen the evolution of significant economic benefits to cloud computing with some commentators predicting that cloud computing sales will be in excess of €40bn ($55bn) by 2014. Cloud computing firms offer robust, scalable and cost-effective defenses and it is worthwhile investigating what will suit a particular business. Security concerns centre on separation of nodes, data handling standards adopted by the cloud computing service, redundant mechanisms which deal with disaster impact and quality of encryption/security mechanisms at the source and during data transit. Despite the promises made, a climate of skepticism may need to be enforced so that security frames the implementation of rapid advances in this area. With the advent of mobile, BYOD (Bring Your Own Device) and cloud computing technologies, data security is presented with significant challenges and complexities as regards protecting data in transit and at rest. While today’s web applications are designed with user friendliness in mind, application developers create interventions which attempt to ensure that the application data and its users are kept safe from the malicious user also. High profile corporations have fallen victim to major (costly) security breaches such as TJX and Sony PlayStation users. Research indicates that security cultures developing as a response to security threats and are manifested as security practices and policies and on that basis, it may be prudent to consider a holistic perspective on the security of an organization, indeed it is clear at this point that security extends beyond the IT department.
There exist significant security risks that commercial enterprises and government bodies must be aware of before committing to relocating their organizations’ assets to a cloud-based platform. Cloud-based storage essentially, requires that organisations relinquish direct control over the hardware and physical locations of their servers leading to difficulties in data segregation and regulatory compliance. This means that the cloud service provider themselves are seen as major targets given their (soon to be) high profile clients. A successful breach of a cloud computing facility could yield a lot of valuable data for a cybercriminal and it is predicted that firms may be subjected to hack attempts in this platform. Information security professionals, managers and decision makers need to understand the risks as well as the potential benefits that cloud computing may have. While cloud computing offers lower total cost of ownership, the significant security vulnerabilities noted by security experts are difficult to ignore particularly if the large-scale transfer of data to the cloud proceeds without sufficient redundancy systems in place.
There are external and internal elements to consider. Externally, technological improvements such as encryption and node hardening techniques are welcome. Internally, comprehensive process and training programs on cloud security are needed to ensure employees are aware of the challenges posed by this new paradigm to mitigate against any violations of corporate responsibility and accountability thus protecting the organization. Critical steps include the encryption of data before storing it in the cloud and due diligence when selecting those cloud services providers who offer transparent security measures as regards, back-up and failover are important when moving to the cloud. To date, companies considering a move to cloud-based solutions have been slow to create and implement policies that address such concerns. Cyberthreats evolve at an alarming rate and it is wise for organisations to test the efficacy of their systems regularly. If an organization waits until a security incident occurs to pay serious attention, by then, usually, it’s too late.
Anthony Caldwell holds an MSc in Experimental Physics, an MPhil in Information Systems Research, is currently engaged in PhD research in science education, is SSCP certified, works as an application security engineer and independent security researcher. Has published work on the area of modeling user behaviour in response to cyberthreats using structural equation modeling techniques, the ZED attack proxy and web application security.