The simplest way to define cloud is to describe it as a shared service. Instead of individuals and businesses setting up their own software/platforms or infrastructure to manage their data, they can outsource this to a cloud provider. Cloud is seen as a cost effective and environmentally friendly solution. There are now many providers offering different cloud solutions including SaaS (Software as a Service), PaaS (Platform as a Service) and IaaS (Infrastructure as a Service). But is cloud secure enough?
This is a big question to tackle and there is no right or wrong answer that can be applied en masse. Instead, deciding on whether adopting cloud will fulfil your business/individual requirements will need to be assessed on a case-by-case basis. To make this assessment, here are some of the key questions that may be considered.
1. How good is my local storage?
How good are you currently at protecting the availability, confidentiality, integrity and authenticity of your data?
If your data is stored on a hard-drive on a networked computer then chances are, you may not be applying best practice. However, if your data is stored encrypted & backed up on two or more file-servers, with good physical/logical access control and logging, then there may not be much to improve on than what you already do. These are two extremes and most likely, you will be sitting somewhere in between.
2. How much am I willing to invest?
To avoid spending too much on protecting data that is not really critical or too little where data needs be secured, you should assess the availability, confidentiality, authentication and integrity of your data against current local storage protections to see how it stacks up. This should help you identify whether you have been investing adequately in protecting your data or if it needs to be adjusted. Then, you will be able to determine whether going to a cloud provider will be a cost effective and secure solution for you.
3. How important is availability?
Despite whatever assurances cloud providers give about providing a highly-available solution, end-users will still need an active internet connection to access the data, which is not always guaranteed. This also makes it harder and more time consuming to detect connection problems should they arise. Additionally, there is also the added problem of network latency which can result in additional delay/drop-outs when connecting to the cloud provider. This will only get worse over the next few years with ever more connections choking up bandwidth and causing congestion/more drop-outs.
4. How important is confidentiality and trust?
Cloud offers new challenges for data confidentiality as the data needs to travel over the internet, is stored remotely and is administrated by somebody else. Even with cloud providers providing assurances that they apply best practices to secure your data at rest and in transit, there is still the danger that even given best intentions, their security controls may not be up to the mark. E.g. Adobe’s security breach leading to stolen logins and IDs. . Additionally, transport layer encryption may not always be that secure. I have described in previous blog posts, the security defects affecting SSL and weak TLS encryption.
The best way to guarantee confidentiality is to encrypt the data before sending it to the cloud and to keep the keys yourself!
What do you think of these questions and should there be more? Please add to the discussion below.