The growing adoption of cloud technologies brings with it new cloud security and data protection issues for the IT head to consider. In the case of both in-house and outsourced clouds, Cloud Security is something that should be at the forefront of the IT head’s mind. There are several additional concerns if an organisation adopts an outsourced service provider to host their installation.
In both cases, the organisation must have a Data Protection plan in place to ensure that the organisation is up and running again as fast as possible.
What specific Cloud security threats need to be understood and guarded against?
The FBI have stated that most data losses and successful data thefts are caused by employees, either deliberately or by accident. The first area is, therefore, that of implementing industrial-strength anti-malware security against malicious or accidental attack. It applies equally to in-house and hosted cloud environments.
Obviously, in the case of a hosted environment, it is the responsibility of the hosting organisation to demonstrate that they have sufficient safeguards and recovery procedures in place to mitigate data loss. That should be a non-negotiable requirement during the selection process. If you are not satisfied, that is the strongest possible no-go indication.
The hosting service provider has similar but differently focussed concerns. He needs a secure working environment, with levels of access control to management and operational areas at an absolute minimum. He needs an industrial strength anti-malware environment, software, and appliances, policies and procedures.
He needs to manage client implementations to prevent data leaks between different clients and prevent clients hacking into the data repositories and cloud environments of other clients. He needs to manage employee security profiles to prevent, as far as is possible employees having access to client data and copying it onto removable media. He needs to make sure that his data protection plan is both sufficiently secure and robust to give clients confidence that he can recover from an incident quickly, efficiently and completely.
Finally, he needs a set of reporting and diagnostic tools that will alert him immediately to any attempt to alter, destroy or steal information.
On-Site Cloud environments
In general, the security threats an internal cloud environment faces are the same as those of the hosted environment. The IT Head has more discretion, but more dangers.
A cloud environment implemented in the data centre is in principle no different to a traditional environment. The difference is that, in a cloud environment, critical data may be held outside the data centre, for example, if Fog Cloud Computing techniques are used to hold Internet of Things data at the edge of the corporate network as part of an automated control environment, for example in an automated vehicle control system. In an enterprise, campus or research network, critical data could be held in departmental servers distant from the data centre, perhaps even on other sites. Access to and backup of that critical data needs to be managed.
Access to Data and Systems
Screening of employees and management of their access to corporate data should be mandatory and regularly refreshed.
The first area to lock down is the use of removable media. The transfer of information using flash drives is very common and it is easy to steal information using a thumb drive. In an environment supporting confidential or secure data, it may be necessary to prevent the use of USB ports.
In a Cloud environment with multiple cloud environments, measures are needed to prevent data leaks between different environments and to prevent unauthorised users from hacking into cloud environments.
BYOD and Remote Access
Another major and growing issue is BYOD, where employees use their own laptops or smart devices to connect to the corporate network. That is another open vector for data loss or theft. An organisation needs to consider very carefully whether it allows BYOD and if it does, the extent to which data can be downloaded to those devices. It may be necessary to block downloads and allow access to data on the server only. Controlling BYOD and data access is not a trivial technical issue.
Finally, in this category, remote access has similar issues to that of BYOD. Many mobile users, for example, sales staff, use a remote connection, probably over a secure VPN to connect to home base systems. Assuming that the VPN is actually secure, and many supposed secure connections are not, the same issues as BYOD then present themselves.
Cloud security threats are fundamentally the same as that of traditional environments. Countermeasures and remedial actions are however complicated by the decentralised nature of data storage in some enterprise level clouds, and the increasing linkage of cloud environments with digital transformation, IoT and BYOD implementations.