More and more small businesses are moving to cloud computing, signing up with private service providers that offer highly functional, subscription-based solutions that are far cheaper than the traditional in-house hosting method.
Whether your company is using online email, a Software-as-a-Service (SaaS) CRM platform, or creating offsite backups of company data, you are trusting a third-party with important company information. And with that comes inherent risk.
When evaluating potential service providers here are 5 areas of security concerns that you need to take into consideration.
Secure Data Transfer
Data transfer must occur over the internet, which means there is a greater chance of a security breach during an upload or download. To mitigate this risk make sure you are only connecting via an “https” protocol. Ensure data is always encrypted and authenticated using industry protocols.
Secure Data Storage
Features and functionality are often front and center in a cloud service provider’s website, but what about internal security procedures? How is your data being stored and who has access to it? What information will the vendor disclose in the case of a security breach? These are important pieces of information that are not always clearly answered, or at the worst of times, are overlooked.
It is imperative to understand the risk profile of the cloud service provider you are dealing with. Ensure they provide full disclosure of all applicable logs and data; and their monitoring and reporting procedures include the all the necessary information you need to prevent or mitigate security breaches.
Having said all that, this process should not be a surprise. As Lee House, Vice President of IBISInc, wrote in a recent article, “The reality that many businesses do not take into consideration is that on-premise applications residing on a server are also connected to the internet, albeit indirectly, and can be hacked by those that have the skill and the desire. What your business needs to consider is what kind of resources you can allocate to the protection of your data, whether it be stored in a cloud solution or not.”
Data protection is not a new kid on the block, but in the cloud it requires a new approach.
Customers interact with the cloud often through a set of software interfaces or APIs. Security of cloud services is directly tied to the security of these APIs.
According to the Cloud Security Alliance (CSA) in their report, Top Threats to Cloud Computing, “Reliance on a weak set of interfaces and APIs exposes organizations to a variety of security issues related to confidentiality, integrity, availability and accountability.” Moreover, many companies build upon interfaces to offer value added services to customers. As the complexity of the API increases, so too does the risk. Organizations are often required to give their credentials to third parties when building APIs, which increases the potential for a redirection attack or man-in-middle message alteration attack.
To reduce these risks, ensure strong authentication measures are in place and access controls are implemented in conjunction with encrypted transmission.
Data stored on a cloud provider’s server can potentially be accessed by an employee of that service provider who is not authorized to do so. As an organization, you are not always privy to which employees of the service provider have access to your data. It is, therefore, best practice not only to carefully consider the information you are publishing to the cloud, but also to ask providers for specifics about the people who will be managing your data. In addition, as mentioned repeatedly, make sure any data you do store is encrypted! That way, should a breach occur, your data is that much harder to access.
Regulating how your employees use and store data should also be taken into consideration. Allowing uploading and downloading onto removable storage devices such as USBs or smartphones can lead to serious risks. If a portable device carries customer information you have to protect it at all times, either through encryption or clearly communicated company policies.
During the age of in-house servers, an organization’s data was physically separated from another organizations’ data – literally. In the cloud, vendors provide their services in a scalable way by using shared infrastructure. In this system, virtualization hypervisors are used to create containers that keep customer data separate from other customer data. However, as the CSA indicates, attacks have surfaced in recent years that target the shared technology in cloud computing environments.
As an organization moving to the cloud, you should investigate the compartmentalization techniques used by your provider, and be comfortable with their process and guarantees.
These security concerns are not meant to strike fear into the hearts of organizations making the transition to the cloud. Instead, they are meant to educate and inform you of the concerns that should be addressed when making this move. The cloud is here to stay, and the opportunities are too great to ignore it. And with appropriate procedures in place your transition should benefit your organization far more than it hurts it.