We’ll probably never know what the people who came up with the name cloud were thinking when they decided on so airy a word. But it’s no wonder some business leaders are reluctant to move their computing into something that sounds like it has an ever-changing structure and poorly defined boundaries, something that floats around in the open sky for all to see, every moment at risk of blowing away in a big gust of wind. (Imagine if they’d instead named it the hoover vault.) But is the issue of cloud security merely a matter of metaphors and perceptions? Or does one of the qualities that make the cloud so useful—its accessibility—also make it vulnerable?
Real vs illusory security
One simple test that can help you better grasp the cloud security issue is to ask whether traditional datacenters are as vulnerable to a given threat as cloud datacenters. When you hear stories in the news about corporations like Target, Home Depot, Best Buy, and Sony getting hacked, it may make you reluctant to outsource your computing to a third party. But these were all cases of traditional environments being breached. The stolen data wasn’t in the cloud. In fact, unless you count the type where celebrities (or unscrupulous employees) choose passwords that are too easy to guess, there are yet to be any major breaches of cloud data.
Names and metaphors aside, many people feel more secure knowing all their business’s data is stored in a place where they themselves can control access to it. Or maybe it’s that they just don’t trust the cloud providers. And this distrust probably isn’t completely irrational—just a little.
Below are five threats that any datacenter connected to the internet is potentially vulnerable to. As you can see, the cloud may alter the rules of the security game somewhat—more so with some threats than others—but the fundamentals remain largely the same.
1. Employees vs impostors
Your employees can sign in from anywhere, on any device with a decent connection, no matter what time it is. That’s one of the main selling points for the cloud. But if you don’t have to be in the office to access your documents and software, what’s to stop someone who’s not an employee from signing in?
Using our test, we can see this actually is a bigger problem with the cloud. If you can’t access your company’s software outside of the office, or if you have to install it on any device you want to use it on, then non-employees are probably going to have a hard time getting to any sensitive information. Unfortunately, locking everything down in the office just isn’t a viable option for many businesses anymore. They need to be mobile.
The good news is that security measures like Multifactor Authentication make imposture pretty difficult. You sign in to your company’s software with your password—the first factor—and it texts a message with a code—the second factor—to your smartphone. You then have to type in the code before you can access the software. Even if an impostor managed to figure out the password, that information would be useless unless he or she also managed to steal the employee’s phone.
Any system connected to the internet can potentially be hacked. So this particular threat is by no means limited to the cloud. However, because more of your business’s computing is accessible through the web, many people believe being in the cloud makes them more exposed. Then again, cloud providers have a great deal of incentive to keep their users’ data secure, and they have considerable resources to devote to their efforts.
You can think of the cloud as being like a bank. Everyone knows where it is, and it’s tough to control access to it. Since it’s not just the site of any one person’s cash but stores thousands of people’s money, it also presents a tempting target. But it’s still a lot safer to put your cash in the bank than to hide it under your mattress. The reason for this is basically because all the customers are pooling their resources so they can collectively support a level of security none of them could afford alone. And you don’t have to worry about floods and fires.
For cloud data being sent through the air or over the wires, security measures include high-grade encryption. But the physical datacenters themselves look like Fort Knox, with biometric scanners for personnel, restricted access to limited sections of the facilities, video surveillance, and scary looking guards. Cloud providers know that if there’s a breach, word will get out quickly and they’ll start losing customers. So they take securing your business’s data very seriously.
3. Regulatory compliance
This one was a problem at first simply because the cloud was new and the regulators didn’t know what to make of it. As time went on, some providers were quicker to adopt compliant policies than others. For a long time, healthcare companies that had to comply with HIPAA had issues using both Amazon's and Google’s cloud offerings. In Google's case, this was because the data was crawled for ad-relevant information, in the same way Gmail messages are. Google only recently began offering an enterprise version of their services that meets more stringent regulatory standards.
Microsoft, on the other hand, has focused on enterprise clients from the outset. Cloud services like Azure and Office 365, for instance, have been HIPAA-compliant for some time. When it comes to the cloud and regulatory compliance more generally, you really have to decide on a case-by-case basis. Some offerings by some providers are compliant with some standards. Others aren’t.
4. Service outages
Azure has already experienced a few major service outages in 2013 and 2014. Total downtime for Azure in 2014 was 40 hours, while Amazon’s cloud services were only down a total of 2.43 hours. Despite the name, the cloud relies of physical machines as much as any on-site computing environment. And sometimes something goes wrong with those machines.
Cloud providers are currently battling it out with each other to offer the fastest, most reliable, and most secure services. That means rapid development cycles, frequent updates, and a higher risks of bugs. There’s no downplaying the seriousness of a 40-hour stretch of downtime for business-critical services.
But you have to compare the risk of outages for cloud services to those for on-site server farms. Any local server environment is susceptible to power outages, natural disasters, software malfunctions, and any number of other threats. There’s simply no way of eliminating the risks altogether. And so far most cloud providers are doing relatively well.
5. Future Uncertainty
This is the big one because the cloud has only been around for a handful of years. It’s easy to point to how few cloud providers have been hacked, but as cloud computing becomes more popular they all become bigger targets. Maybe companies like Microsoft will learn from the mistakes that led to service outages, or maybe they’ll stumble on all new ways to make the system crash. Ten years from now, businesses may all be hunkered down on their own local server farms, the IT people nudging each other and saying, “Hey, remember when the cloud was a big deal?”
All the signs are pointing toward the opposite fate for the cloud though. It’s becoming more popular, more central to more business processes, and more integrated with other technologies. Undoubtedly, new threats and security challenges will emerge, but the most likely outcome is that cloud providers will find ways to address them. This will be of little comfort, though, if you happen to be one of the businesses that falls prey to the threat, no matter how short-lived it may be.
Other popular posts like this: