What are the risks involved in Cloud Computing?

Cloud Computing has gained in popularity by leaps and bounds in recent years.  More and more businesses are moving to private or hosted cloud platforms.  One instance is that hosted cloud technology on a shared platform makes it easier for small businesses to use more sophisticated systems than they otherwise might not be able to economically justify.

As with all technology models, there are risks inherent in using cloud technologies.  Cloud Security is an issue for both in-house and hosted clouds. Some are common to both, but some cloud security risks are particular to hosted cloud solutions. Security issues can arise in respect of information management and technical software configurations.

Common Cloud Security Risks

Cloud Security Risks

The technical platform that supports the cloud environment is similar for both private and hosted clouds.  They are equally susceptible to directed attacks by hackers seeking to steal information or to generally just disrupt operations.

The in-house or hosted platform must, therefore, be protected by industrial strength anti-malware hardware and software. The software and the detection signatures must be kept up to date.  Users must also be aware of phishing attacks and trained not to respond to email links in emails even if seemingly from a trusted source.

Data can be lost or damaged through user error or malicious attack.  Regular backups will protect against data loss, and it is vital to ensure that the backup schedule is maintained and that the backups can be restored.  Sometimes, backups that are seemingly usable turn out not to be because of faulty hardware or user error.

Another common risk is that of information theft by a user.  Confidential information can be stolen by either copying it onto a flash drive, sending it out in an email, or by uploading it to cloud storage such as OneDrive or DropBox.

Specific measures need to be taken against information theft, by denying access to it to unauthorised users, preventing copying data to and from cloud storage, and by disabling USB ports on attached PCs.

Some email implementations allow data and email security levels to be set up.  In order to be able to email data with a specific security level, a user must have a corresponding security level.

If access is by user-provided equipment in a Bring Your Own Device (“BYOD”) environment, preventing data theft by copying it to an attached device cannot be easily implemented.

Hosted Cloud Security

Hosted Cloud Security

In a hosted cloud, the cloud environment is managed by a hosted service supplier.  In general, an organisation shares the computing platform with other hosted service supplier clients.

In choosing a hosted service supplier, an organisation entrusts its most valuable asset, its information to a third party. That is an act of faith with inherent business risks that need to be understood and managed.

There are several business risks to be considered when choosing a managed service provider:

  • Stability.  There is a risk that a service provider can fail and access to the organisations systems and data fails with it. The organisation must be sure that this is a low risk but also must make business continuity plans in the event that it does fail.
  • Probity.  There is a risk that the managed service provider staff actively collude in the theft of the organisation’s data.  The selection phase must ensure that the managed service provider screens it’s staff and has adequate security procedures in place to minimise the risk of information theft.
  • Operations.  There is a risk that the managed service provider does not:
    • maintain and operate proper backup and recovery procedures.
    • have adequate anti-malware software in place
    • have regular security checks on current and new staff

Confirmation that they do needs to be part of a regular management review.

From a technical standpoint, a major risk is that it is possible while being an authorised user for one client of the managed service provider to access the information held by another client. Again, the firewalls between client implementations need to be regularly checked, and provision for remedies following a breach set out in the Service Level Agreement with the managed service provider.

Cloud Technology can bring great benefits to an organisation, but there are attendant risks that must be recognised and managed.