In our previous feature in this series, we looked at the network infrastructure implications of adopting cloud-based services for your company. But there are more issues than just whether the bandwidth and latency levels on your network are up to the job.
Unless you implement a private cloud, your employees will be accessing services that are hosted externally. Even with a private cloud, mobile workers will be accessing this from outside the office. So the perimeter line between the internal network and the Internet will be much more porous.
You can't outsource accountability
Implementing cloud services is often an exercise in outsourcing, and whilst you can outsource responsibility, you can't outsource accountability.
There are different levels of cloud provision, each with their own particular security needs:
- Cloud services can operate at the application level, for example Google Docs. This is usually called Software-as-a-Service (SaaS).
- Alternatively, there are provisions where you supply your own applications to run on a cloud-based delivery mechanism, such as Microsoft Azure or Google App Engine. Here, the cloud operates as a platform, so is known as Platform-as-a-Service (PaaS).
- Finally, you can merely use the cloud as infrastructure for your own platforms and software, such as Amazon EC2. This is generally referred to as Infrastructure-as-a-Service.
For any private cloud provision, where the servers are physically on your premises, your company retains full control over security, until mobile workers accessing services from outside are brought into the equation. But IaaS, PaaS and SaaS all cede different levels of control to the vendor.
With IaaS, your server, storage, and the network outside your local area are now in the hands of third parties. But you can still ensure that your applications and the virtual machines you are using as your platform to run them on conform to your security requirements, although there will be some collaboration with the vendor on the virtual machines that are compatible.
With PaaS, the applications you can run as well as the platforms available will be a function of what the vendor offers, so any security issues with these won't entirely be under your control.
In the case of SaaS, cloud security can't be tackled merely with technology, however. If employees are using commercial cloud-based services like Dropbox, Google Apps or Microsoft Office 365, sometimes known as "build your own cloud" (BYOC), you won't necessarily have centralised control over passwords and user accounts at all. So it will be important to train staff and continually remind them to keep their logins and passwords secret, and ensure their passwords are complex enough not to be easily guessed.
The difficulty of keeping control over these kinds of services has led some companies to block usage of services like Dropbox and even Google Docs. Although it might not initially be popular with employees, preventing the use of popular services like these could be a valid safeguard, so long as an equally capable alternative that can be secured is made available.
These kinds of services enable flexible, collaborate work practices, so preventing employees from using them could affect your company's competitiveness compared to businesses that are making full use of them.
Easily-integrated cloud solutions
Some cloud services can more easily be integrated with your existing security infrastructure than others. If you have outsourced your email provision to Gmail, for example, this can be synchronised via LDAP to other security systems. But even then the security that is being synchronised with at the Google end will be managed by Google.
If an employee is careless and lets their email account be hacked by divulging their password to a phishing attack, this in turn could allow the hacker to change the password across all synchronised systems, giving them access to much more than just email. A more granular approach to security can help here, with more mission-critical layers protected by further levels of authentication.
Mobile workers introduce a special kind of security risk. Just a decade or so ago, your employees would have been accessing corporate resources mostly via the desktop systems they used in the office. The small minority who did need to work from home or on the road would be using a laptop that wasn't directly connected to the business network, and was subject to the same security provisions as desktop machines.
But now employees are accessing email and even documents via smartphone, working on presentations and reading reports on tablets, as well as making use of the new hybrid devices that are appearing with abilities somewhere in between smartphones, tablets and notebooks.
Whilst your networks and cloud applications may in themselves be quite secure and hard to hack, these mobile devices are easy to lose and can be ready targets for theft. If the device can be accessed, and in turn has access to your cloud-based services, private as well as public, this can create a huge hole in your security which would make it possible to gain a deeper level of access. So it's absolutely paramount that any mobile devices are secure.
Windows 8 devices may not be as popular with end users as their Android and iOS equivalents, but they can fit into a Windows-based remote management system much more seamlessly. There are also often corporate-grade models available with biometrics built in that is tied to drive encryption and a very low level of device access. Ensuring this is all enabled would mean even a stolen mobile device would be useless as a springboard for accessing your resources.
Do you trust your cloud provider?
The wider issue, however, is how much you trust your cloud vendor, and not just them as an organisation, but their employees and the governments of the countries within which they are based. The recent revelations about US government snooping has shown that national agencies are keeping track of traffic over public networks.
So concerns over confidentiality are valid, as are concerns over what would happen if the vendor goes out of business, although this is unlikely with the largest vendors in this space such as Google and Amazon.
One area of particular threat is the link between the vendor's cloud and your network. Whilst a virtual private network (VPN) is likely to be encrypted beyond a level where it is easy to snoop on, Web-based SSL/TLS security isn't as secure as it should be unless the latest version is being used. This risk will be there whether you are using SaaS, PaaS or IaaS, but it's only an issue with a private cloud when it is being accessed externally.
Of course, there are other areas of vulnerability that are a bit more low-tech. The employees at your cloud vendor could fall foul of a phishing attack, and divulge security information that compromises your company's or multiple companies' security. Their hardware could be physically stolen from the data centre.
At the platform or infrastructure level, an attacker can potentially figure out which physical server your virtual machines are residing on, and focus their attacks accordingly. A cloud vendor might even be subcontracting some of the services it provides to another third party, further complicating the issue.
It's also worth noting that a public cloud is a shared tenancy, with other users accessing the same pool of resources. A vendor will want to keep all its customers happy, but there could be conflicting interests, and if another of the vendor's customers has a security breach that reveals a hole in the vendor's underlying systems, this could have a knock-on effect on the resources your company is using as well. Also, a denial-of-service attack on one of the vendor's customers could affect everyone sharing the same infrastructure.
Clearly, very careful attention needs to be taken with the contracts that are signed with service providers. The liability for security breaches needs to be clearly defined, particularly as regards lost data, and not just service downtime. It will also be important to be clear about levels of multi-tenancy, and even stipulate that this does not occur, if your company's needs are enough to warrant this.
However, most cloud providers dictate the service level agreement, and this can't be negotiated unless you are a very big client. There are certifications you can look out for, such as the USA's DIACAP, which was put in place to ensure that the correct set of risk management procedures have been followed for information systems used by the country's Defense Department.
Are the risks worth the benefits?
Just as with the bandwidth situation described in the previous feature in this series, monitoring the security of your cloud is essential. Robust access control management and identity management (IDM) should be put in place. Credit card companies, for example, frequently use Verified by VISA and MasterCard SecureCode as an extra level of security online. In a cloud environment, services like Duo Security's two-factor authentication, which requires users to enter a secondary authentication code when accessing services from outside your local area network, can reduce the risk of lost user passwords.
All of this makes cloud computing sound like a risky business, which it can be without adequate consideration taken to security. But the cost and flexibility benefits of the cloud for business are undeniable, so the risks are well worth addressing. With the right precautions in place, and sufficiently specified infrastructure as we outlined in the first feature in this series, your company can gain huge benefits.
Image credits: Flickr (szeke; Victor 1558)
Read more in the series: