Just How Safe is The Cloud for Your Company to Use?
The modern digital landscape of IT infrastructures utilized by small, medium and large enterprises can be characterized by a profound increase in advanced technologies that have helped businesses to increase efficiency, productivity, creativity, and automation. Information Technology (IT) has greatly helped enterprises craft new business models and implement corporate strategies that have increased business growth and benefited the bottom line. However, as technology has rapidly evolved over the last few decades, new opportunities have arisen for businesses to further leverage advanced IT systems in order to grow further and minimize overhead. One such technological advancement that has become a catch-phrase among enterprises is the Cloud. While cloud systems existed in 1999 and were mentioned in documents around 1996, major advancements in cloud systems have drawn company executives and board members/stakeholders alike to the Cloud. Many companies have been reluctant to adopt the new technology, while others have eagerly re-arranged their company’s IT infrastructure to accommodate external cloud systems, such as multi cloud systems, hybrid cloud systems, and/or public cloud systems.
Adoption of cloud systems has greatly increased over the years. According to several key reports, surveys and case studies, adoption of cloud systems among business enterprises is now above 90 percent. A critical Intel Security/McAfee study involving 1,400 IT professionals associated with cloud adoption and security showed that 93 percent of organizations are using cloud systems, with a great drop in the utilization of private cloud systems (51 percent to 24 percent), and a large increase in the use of hybrid cloud systems (19 to 57 percent), between the years of 2015 and 2016 (“Building Trust in a Cloudy Sky: The State of Cloud Adoption and Security, 2016”). Additionally, according to the same Intel Security (McAfee) study, the growth of Cloud solutions among enterprises is growing, such that 80 percent of organizational IT budgets were applied towards cloud solutions within a period of 15 months (2016).
There are several reasons why many businesses are reluctant to adopt cloud solutions as opposed to hosting internally managed and controlled data centers and private servers. Typically, a lack of understanding - along with certain myths and misperceptions about cloud security - has resulted in several organizations refusing to utilize cloud solutions as opposed to internal enterprise solutions. Additionally, according to the Intel Security study, 49 percent of IT professionals delayed the utilization and adoption of cloud solutions due to a lack of cloud security professionals within their organization who possess the necessary skill set for ensuring complete data security. The above study also indicated that cloud solutions are often regarded as “shadow IT,” due to the use of external cloud servers and systems which internal IT teams cannot control or manage. This inability to manage the cloud security has resulted in 40 percent of public cloud solutions being procured outside of IT, with less than half (47 percent) of the cloud solution being visible to the IT teams. To this end, 67 percent of IT professionals believe that such shadow IT systems will compromise security.
The study also indicated that 74 percent of organizations have adopted the use of public cloud systems for the storage of private/sensitive data. While the McAfee study did indicate that there have been some major cloud security breach statistics associated with public Software as a Service (SaaS) solutions - specifically, a 52 percent likelihood of being infected with malware - and major cloud breaches have made headlines multiple times (including breaches of Microsoft, Dropbox, LinkedIn, Home Depot, etc.), other studies indicate that on-premise business environments are attacked and exploited more often than external hosting services, such as a cloud hosting service. Specifically, the Alert Logic State of Cloud Security Report indicated that an average of 61.4 malicious cyberattacks hit on-premise IT environments, while only 27.8 attacks hit hosting/service provider environments (“State of Cloud Security Report”). While major cloud security initiatives, such as the Cloud Security Alliance (CSA), have stated that the responsibility for securing cloud systems lies with the customer (with regard to access control, account hijacking, data breaches, malicious insiders, etc.), ultimately, one of the most prevalent myths linked with fears associated with cloud solution adoption is that less control and direct management over the cloud equals less security. In the end, people are the weakest link with regard to any data security system, so factors such as how private data is stored by customers - and how cloud systems are utilized by customers - create the biggest security risks with cloud solutions. Significantly, such risks typically exist in equal measure when companies utilize in-house data centers and servers yet fail to adopt security best practices in the workplace. Thus, understanding the cloud is one of the most critical steps that company executives can take in order to fear it less.
What Exactly is the Cloud Anyway?
Cloud systems, in the simplest terms, are a global ecosystem of remotely-connected hosts, i.e. the Internet. In a business context, cloud storage and computing systems entail a network of IT systems/hosts existing externally from a company’s IT infrastructure, which can enable the reduction of overhead and personnel requirements with regard to portions of cloud system maintenance, configuration, patching, and security. Since a portion of the aforementioned services are conducted by the service provider, this allows companies to direct their resources, manpower and attention to important business activities, while focusing less on maintenance and upkeep.
Originally, enterprise servers within corporations required inter-dependent software/operating systems upon which enterprise server software would be installed for use by internal corporate teams. This meant that if either the hardware server or operating system failed, the use of the server’s applications would be impossible until the critical issue was resolved. The advent of cloud systems (which utilize virtualization as one of its core components) allowed application execution and storage services remotely via the Internet, which enabled businesses to take advantage of a myriad of computing resources via the Internet. The use of virtualization in cloud systems provided a redundancy system that allowed the migration of OS and critical application functions onto other cloud servers so that a hardware issue with one server would not bring business operations to a halt.
Typically, cloud systems come in many different varieties, including public cloud systems, private cloud systems, hybrid cloud systems, multi cloud systems, etc. Public cloud systems are systems that are open to the public and can be used by any number of clients, and include the two primary cloud services noted above (data storage and application execution). Private cloud systems are closed and are hosted internally by an enterprise over a privately hosted (internal) network, and are thus managed by internal IT teams. Hybrid cloud systems are a combination of private and public cloud systems, while multi cloud systems are a combination of multiple external cloud systems being integrated into a single corporate architecture.
Additionally, cloud systems are available under a variety of architectural models, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (Paas).
All Data Still Exists in Physical Servers Somewhere
When it comes to understanding the technology behind external cloud solutions, it is important to note that, like with internal data centers/hosts, all data still exists within physical servers at some location. While private clouds and internal data centers have data existing within servers in a corporate office or data center, external cloud solutions potentially house the same data within servers and data centers in an external location. While company executives may worry about the safety of hosting data within external data centers, it is important to remember that, when it comes to security, any server that can be accessed from the outside (externally) - which is often the case with private, internal data centers as well as with external cloud centers - has the potential to suffer a data breach, yet external cloud centers don’t necessarily have more attack surfaces than internal data centers. This is especially true with internal data centers that are connected to the public internet, either via web servers (e.g. a company website), or via secure networks that allow traveling personnel to access the backend corporate servers (often via a VPN).
These Servers Are Accessed Via the Internet to Complete Tasks & Processes
One of the main differences between internal data centers and external cloud solutions is the fact that external cloud centers operate as remote hosts, or rather, as servers that are accessed via a network. Thus, while internal, corporate data centers are on an internal intranet (that is accessed via a Local Area Network), external cloud servers are accessed via the Internet. Thus, an Internet connection is required to leverage the power of external cloud systems, which allow business tasks and processes to be completed accordingly via the public Internet. This typically necessitates a good Internet connection with very high bandwidth capabilities.
What Business Processes Are Now Being Conducted in the Cloud
Since cloud systems are essentially external servers, businesses are able to make use of external cloud systems for a variety of tasks that previously were done via internally-hosted servers. This includes:
- Data Storage (Cloud storage): cloud systems are often used to store private/sensitive business data, including reports, audits, documents, accounting information, and much more.
- Application Execution (Cloud computing): cloud systems are often used to run applications remotely through a network connection, mitigating the need to install enterprise software. Such systems are often linked with cloud storage systems to allow enterprises to save their corporate data and tasks that are associated with the cloud computing applications.
Additionally, a host of other advanced applications are possible via external cloud systems, such as syncing data across entire business platforms and devices, advanced Internet of Things applications, increased scalability, Big Data analytics, disaster recovery procedures, testing and development, file sharing, company data backups, and much more.
There is a Division Between What a Regular Business is Likely to Use the Cloud for and a Tech Company
The utilization of cloud services within the ecosystem of corporate enterprises usually entails substituting internally-managed servers and data centers with either a hybrid cloud infrastructure, or public/multi-cloud systems. However, different industries typically use cloud solutions in different ways, such that there is a clear division between how a regular enterprise may use cloud services versus a technology or engineering firm. It is standard for a regular, non-tech SME - or larger enterprise - to use cloud services as external systems that essentially replace in-house servers, which usually means using such cloud solutions for data storage, data management, data processing, data analysis, etc. Contrasting this, technology companies often use cloud solutions as external servers which run critical applications and software systems.
That said, corporate cloud solutions are often available to enterprises as one of three different package types: Software as a Service, Infrastructure as a Service, or Platform as a Service. Each model has its pros and cons with regard to specific business types.
Software as a Service Models (SaaS)
Software as a Service (Saas) is the most commonly-used cloud solution amongst all forms of enterprises today. The SaaS model, simply put, is the delivery of cloud application/storage services, from an external cloud server system, to a business via the Internet. Often times, such cloud solutions do not require any software installations on local hosts, as a web browser is often the vehicle of delivery. The delivery of cloud applications to a business (over the Internet) via cloud computing parallels the hosting and execution of web applications, however, such cloud apps are deployed from external servers over the Internet and are not locally managed. It is, thus, important to note that with SaaS solutions, the vendor manages the application, data, runtime, middleware, virtualization, OS, servers, storage, and networking. The lack of required management makes SaaS models worthwhile for many companies that do not want (or have the ability) to utilize extra manpower and/or overhead to manage, maintain and patch the cloud system hosting the SaaS services. Some examples of SaaS solutions are Google Apps, Microsoft Cloud, Dropbox, etc.
Infrastructure as a Service (IaaS)
Infrastructure as a Service (IaaS) is a solution utilized by companies for testing, managing and/or executing software systems that require scalable computing, self-service management, and automated computing resources. With IaaS models, multiple core computing resources are available to the business via a dashboard or API, allowing a company to leverage a scalable cloud system for networking, operations, data analysis, testing, and more, all through virtualization. As highly flexible, powerful and scalable models, IaaS solutions also give businesses near-complete power to manage their computing resources. Some IaaS examples include Microsoft Azure and Amazon Web Services.
Platforms as a Service (PaaS)
Platform as a Service (Paas) is a model that allows a development environment to be remotely hosted on a cloud system, allowing a business to utilize a powerful system for software building and deployment. Such cloud platforms provide many advantages over utilizing local platforms for development and/or deployment, such as management over the storage (of data), services, servers, networking and applications associated with the cloud computing system, without having to patch, update, upgrade or install anything associated with the system. Due to using virtualization, such development/deployment cloud systems are also highly scalable, all while not having to be maintained by business personnel.
Common Business Uses for the Cloud
Cloud solutions - regardless of the model used - can be used by businesses for a myriad of purposes. While external (public) cloud servers are often used simply to replace in-house enterprise servers, cloud systems are capable of much more. However, two main uses of cloud systems are cloud storage and cloud computing.
Cloud Storage for Business
One of the first and most critical corporate (and commercial) uses of cloud systems was cloud storage. With the advent of larger data storage servers and faster Internet capabilities, data storage centers shifted from being in-house systems to being remotely hosted and managed via the Internet. This shift was successful largely due to the advantages of having scalable - and larger capacity - data storage centers available at all times with the ability to sync and share such data seamlessly between devices and parties.
Covers The Data Sharing Needs of a Workforce
Cloud (data storage) centers allow business entities to seamlessly share data with other parties without having to download the data and manually send it from a local machine. This entails that in-house networking systems (intranets) are no longer required for effective interdepartmental communication, or for corporate communication with business partners, etc. This is because the internal communication systems are essentially replaced by the online (cloud) platform’s services.
Provides Access to Company Data & Files Anywhere
In addition to the above advantage (data sharing), one of the most significant and important mechanisms that cloud storage systems provide is data syncing between all Internet-connected devices that are authorized to access the system. This means that companies employing remote workers, and/or executives that are out of the office, are able to complete and update work, obtain (sync) completed reports or required documents/files, and store essential pieces of data in the cloud storage centers from any location that provides the ability to connect to the Internet.
Cloud Computing for Business
The second most critical function that cloud solutions provide is cloud computing. Cloud computing allows businesses to leverage the Internet - and, typically, a web browser - to run applications without having to install anything on local machines. Essentially, cloud computing is the execution of software from remotely hosted cloud servers over the Internet. This gives enterprises the opportunity to replace internal servers, or localized instances of software, with the utilization of cloud systems, which do not typically require maintenance, patching, or upgrading/updating by the client.
For Businesses That Run Their Own Custom Software
Utilizing a model such as IaaS - which offers the most flexibility and power, along with management capabilities - or PaaS - running and managing (along with developing) custom, proprietary software allows a business to leverage powerful, scalable, automated computing resources across an entire enterprise in an efficient manner, all via the cloud. Utilizing the cloud in this manner has advantages over running such software locally, such as the fact that such cloud systems don’t require maintenance by the customer. Additionally, such cloud systems allow for easier testing and deployment of custom software, while they also provide the ability to take advantage of cloud-based virtualization.
How Secure is the Cloud for General Business Use?
Before adopting any cloud system model for corporate use, perhaps the most important question that any company executive would ask - and want answered - is how secure cloud solutions are. The utilization of external cloud systems that house sensitive data and are required for core business activities - and that IT teams are unable to directly manage or directly interact with - makes many business executives uneasy. While myths about the security of cloud systems abound, it is clear that cyberattacks, data breaches, and data thefts are increasing, such that attaining complete data security should be one of the core goals of any enterprise. That said, it is typically believed that the inability to control all aspects of a system equates with - or results in - a lack of security. It is also typically believed that the cloud solution vendor is responsible for all aspects of a cloud system’s security. For the former, control does not equal security. The design of the hardware and software systems - along with customers utilizing security best practices to access the cloud system - is more important than the daily (more direct) management of the servers by in-house personnel (such as the way IT teams would manage in-house servers). For the latter, it is the responsibility of the customers to use security best practices when accessing the secure cloud systems.
Every Business Will Have Different Levels of Security Needed
It is also important to note that when it comes to compliance issues, cloud systems that house sensitive data, and/or are used for the processing of private customer data, must be secure according to U.S. legislation. Specifically, companies must carry out due diligence in ensuring complete data security. It is important for company executives to understand that specific industries must comply with a particular set of laws in order to be in compliance with U.S. legislation.
Industry Specific Compliance Requirements
Certain industries must be in compliance with a specific set of U.S. laws, including the medical/health industry, the finance industry, the education industry, all e-commerce websites, etc., according to the following:
- HIPAA (Health Insurance Portability and Accountability Act): HIPAA is a regulation that stipulates a variety of rules regarding the secure and safe handling of confidential patient information (including electronic data/records), with regard to all health organizations and enterprises.
- Federal Information Security Management Act of 2002 (FISMA): FISMA is an act applying to all federal agencies in the U.S., stipulating that complete data security should be ensured so as to protect national security.
- Gramm Leach Bliley Act (GLBA): GLBA, among other things, stipulates that financial institutions must carry out due diligence to protect the data of their clients and customers.
- Family Educational Rights and Privacy Act (FERPA): FERPA applies to educational organizations/schools, and stipulates that such institutions must protect the educational data of their students.
- Payment Card Industry Data Security Standard (PCI-DSS): PCI-DSS applies to all e-commerce businesses that handle customer credit/debit cards, and stipulates (via 12 regulations) that due diligence must be carried out to protect such sensitive customer information, typically with regard to transactions over the Internet (via websites, etc.).
Cloud Products Are Essentially Just Remote Accessed Servers
In order for company executives to adopt the most effective cloud solution for their enterprise - and to understand their responsibilities associated with ensuring that their data (in the cloud) is secure - it helps to regard cloud applications as remotely hosted applications, and cloud systems as remotely accessed business servers. Security best practices associated with accessing remote servers must thus be applied to cloud systems.
Security is Dictated by the Connection Between Users & The Data Servers
From a security standpoint, when it comes to major attack surfaces, accessing a remote server means that there is one primary attack point that must be protected - the connection between the user and the data server. While Denial of Service (DoS) and DDoS attacks may cripple a server - and malware can attack a number of cloud systems - customers who use cloud systems must ensure that proper access control mechanisms are in place (including authentication, authorization, etc.), and that the connection to the cloud servers are completely encrypted with industry standard encryption systems. Additionally, attacks such as man-in-the-middle attacks (MitM) must be mitigated to ensure complete data security. Essentially, just as an in-house corporate intranet (Local Area Network) must be secured when utilizing on-site servers, so the networking system connecting a business with a cloud system, via the Internet, must be secured.
Companies Providing Cloud Computing & Storage Services Need to Be Secure
Cloud servers can fall prey to traditional attacks such as DoS and DDoS attacks, and crippling malware attacks. Thus, it is not completely the responsibility of the customer to ensure data security of cloud systems - it is also the responsibility of the vendor providing the cloud system.
The responsibilities of the cloud vendor to protect their systems should be outlined in their security policy, since essentially their entire business model relies on having secure systems. Like with any company, cloud vendors will typically design and harden their cloud systems before selling their services - if their cloud systems were not secure, then they would be unable to obtain - and keep - customers. This doesn’t mean that all cloud vendors are a safe choice, however, as the best vendor will ensure that security best practices are always carried out.
The Security Resources at Their Disposal Are Much Higher
According to a study by the Sans Security Institute, in 2014-2016 most companies had an IT budget of around $500,000-1,000,000 USD, with security comprising four to nine percent of that budget. This comes out to $45,000-90,000 USD for the security budget, on average. While these numbers indicate that businesses have only a minimal amount of resources to apply to securing their local infrastructure, large cloud vendors often have larger budgets (i.e. billions of dollars) to ensure that their cloud systems are completely secure.
Dedicated Security Teams
Cloud vendors often have dedicated, trained security personnel equipped with the skills, knowledge and experience needed to ensure that their cloud systems are maintained, patched, and secure. Such teams are also typically equipped with the skill set that is required to successfully install cloud-based security controls, such as Next-Generation Firewalls, and cloud-Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS).
Specialist Security Consulting
Cloud vendors often leverage specialists in the realm of cybersecurity to ensure that their cloud systems are completely secure. Such specialists include ethical hackers, white-hat hackers, penetration testers, etc. who actively seek to penetrate the networks and systems associated with a vendor’s cloud solutions. Such hacking methodologies, that are employed by ethical hackers, are composed of active tests seeking to exploit weaknesses (vulnerabilities) in an IT infrastructure, and - along with passive vulnerability scans - can help to reveal any weaknesses in a cloud network before cybercriminals find such weaknesses and exploit them. Such ethical hacking consultancies are often done by outsourced specialists, and can result in cloud systems being patched and hardened, thus ensuring their security.
Bug Bounty Programs
Open calls for ethical hackers are often carried out by companies seeking to attract talented consultants that employ a variety of attack vectors. This can help to ensure that cloud systems are hardened against a myriad of different attack types. Such open calls - or bug bounty programs - include known programs such as BugCrowd and HackerOne, among others.
In Short, Nothing is Secure, But the Cloud Can be More Secure
Cloud systems are like any other servers or networking systems - they cannot be entirely, 100 percent hardened and thus made completely immune to cyberattacks. However, depending on the hardware, software, design, and procedures of the customer - along with the security policy of the cloud vendor - cloud systems can be just as secure, if not more secure, than in-house servers and data centers. Cloud systems are typically managed by more specialized security teams, and often receive a greater budget to ensure their data security. Additionally, while in-house servers require patching and maintenance work by in-house personnel - thus creating the potential for systems to go unpatched - cloud systems are usually kept patched on a regular basis, and are updated, upgraded and maintained by cloud vendors, thus decreasing the risk of costly data breaches occurring. Ultimately, the use of security best practices and security controls can help to mitigate even the strongest - and most damaging - cloud cyberattacks, making cloud systems potentially more secure than in-house servers and data centers.