Is cloud ever secure enough?

cloud

The simplest way to define cloud is to describe it as a shared service. Instead of individuals and businesses setting up their own software/platforms or infrastructure to manage their data, they can outsource this to a cloud provider. Cloud is seen as a cost effective and environmentally friendly solution. There are now many providers offering different cloud solutions including SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service). But is cloud secure enough?

This is a big question to tackle and there is no right or wrong answer that can be applied en masse. Instead, deciding on whether adopting cloud will fulfil your business/individual requirements will need to be assessed on a case-by-case basis. To make this assessment, here are some of the key questions that may be considered.

1. How good is my local storage?

How good are you currently at protecting the availability, confidentiality, integrity and authenticity of your data?
If your data is stored on a hard-drive on a networked computer then chances are, you may not be applying best practice. However, if your data is stored encrypted & backed up on two or more file-servers, with good physical/logical access control and logging, then there may not be much to improve on than what you already do. These are two extremes and most likely, you will be sitting somewhere in between.

2. How much am I willing to invest?
To avoid spending too much on protecting data that is not really critical or too little where data needs be secured, you should assess the availability, confidentiality, authentication and integrity of your data against current local storage protections to see how it stacks up. This should help you identify whether you have been investing adequately in protecting your data or if it needs to be adjusted. Then, you will be able to determine whether going to a cloud provider will be a cost effective and secure solution for you.

3. How important is availability?
Despite whatever assurances cloud providers give about providing a highly-available solution, end-users will still need an active internet connection to access the data, which is not always guaranteed. This also makes it harder and more time consuming to detect connection problems should they arise. Additionally, there is also the added problem of network latency which can result in additional delay/drop-outs when connecting to the cloud provider. This will only get worse over the next few years with ever more connections choking up bandwidth and causing congestion/more drop-outs.

4. How important is confidentiality and trust?
Cloud offers new challenges for data confidentiality as the data needs to travel over the internet, is stored remotely and is administrated by somebody else. Even with cloud providers providing assurances that they apply best practices to secure your data at rest and in transit, there is still the danger that even given best intentions, their security controls may not be up to the mark. E.g. Adobe’s security breach leading to stolen logins and IDs. . Additionally, transport layer encryption may not always be that secure. I have described in previous blog posts, the security defects affecting SSL and weak TLS encryption.
The best way to guarantee confidentiality is to encrypt the data before sending it to the cloud and to keep the keys yourself!

What do you think of these questions and should there be more? Please add to the discussion below.

Advertisements

3 PR disasters caused by innocent mistakes

badhillary31

What the Hillary Clinton email scandal proves is that you don’t even need a proven data leak to brew a public relations storm. The media will punish you nevertheless. It was recently discovered that Hillary Clinton ran a private email server from home for all emails, including work related ones. This makes it easy for eavesdroppers to obtain state secrets. (Which they can do without her knowing) Given that she is Secretary of State and in regular contact with the President, this is bad news for US national security. How bad? The backlash is severe and may affect her chances of securing Presidency at the next election. She is not alone though. History is littered with many examples of how disastrous, even a potential data leak may be.

1. Bank of America

In 2005, the Bank of America lost unencrypted backup tapes containing the banking and credit card details of 1.2 million federal employees (including senators). This was embarrassing. Technology executives were forced to issue public statements about the loss and regulators made fresh inquiries into whether new regulations were needed. 

2. NARA

In 2009, the National Archive and Records Administration lost two unencrypted hard drives. One contained the names and social security numbers of 76 million US military veterans. The other contained the private information and social security numbers of 250000 White House employees (including the daughter of Al Gore). They were thrashed by the media and had to compensate the victims. A $50,000 bounty was also offered for the missing hard drives. Not sure if that offer still stands. 

3. Emory Healthcare

In 2012, Emory healthcare misplaced 10 unencrypted backup discs containing 315,000 patient file records and social security numbers. These were misplaced or stolen after being placed in an unlocked cabinet. They were never found. The CEO of the company had to publicly apologise for the data breach. 

This may seem extreme but this is more commonplace than you would think, even in companies with solid IT Security controls. Voltage security found that 85% employees bypass security controls to get access to more data and 46% companies have breached security controls to avoid the possibility of a sales loss. The worst offenders are senior managers. Stroz Friedberg found that senior executives are the guiltiest culprits when it comes to sending work emails to their personal email and taking intellectual property with them when they leave the job.

To defend against this, classify information, encrypt your data and increase security awareness across all levels.