Security and Privacy is Sometimes Suspect, but Growth of the Cloud Marches On


Posted on by Robert Ackerman

We increasingly hear that the most-discussed computing paradigm, cloud computing – especially the public cloud -- is resuming its sharp rate of growth after a lull and poised to accelerate further. This is refreshing news in a world ever-more obsessed with security, underscoring that cloud purveyors are making progress in getting security right.

The attractions of cloud computing are obvious to those immersed in the enterprise computing arena. CIOs note that the cloud allows them to shift costs from capital budgets to operating budgets. Often, they can purchase only the resources they actually need. Cloud computing eases the process of adding or subtracting computing power on demand. And it better accommodates a mobile workforce and cutting-edge technology, such as user interface design.

But cloud computing must take additional steps to maximize privacy and security.

The belief is widespread that storing personal data, in particular, in the cloud might undermine its privacy. After all, companies that embrace the cloud lose direct control of their technology, abolishing a traditional security priority. This begs a question. Given the increasing perception of misuse of people’s digital information, is the price of cloud adoption – and the concomitant loss of proprietary security and privacy control -- ultimately too high?

Happily, the answer is no. In some ways, the security offered by leading cloud vendors is superior to security at the typical corporate level. Still, cloud purveyors know they must do better still. One key step toward this end is the aggressive development of so-called homomorphic encryption, which some computer security experts have described as “the holy grail” of computer security. Customers must be vigilant, however, and invest the time to properly mitigate all security and privacy risks before and throughout cloud adoption. This is imperative not only to maximize security but to make CIOs and CISOs comfortable as they transition applications and data to the cloud.

Even though the cloud has been part of the IT arena for about 15 years, there are still lots of questions about how it works and how secure it really is. So corporate IT executives must make a point of garnering the information they need about physical security, the handling of security incidents, logs of security attacks, compliance, and backup and recovery, among other things.

How secure is the cloud? Potentially sensitive data is at risk from insider attacks, but competent cloud vendors are in a position to close that hole. And despite the explosion of high-profile cyber attacks costing major companies billions of dollars and loss of customer loyalty, a number of them didn’t directly penetrate the cloud or the data center. Rather, they compromised end points, such as end user laptops, payment terminals and myriad Internet of Things (IoT) devices. An improperly used device or inadequate protection is all it takes to open the door to a hacker.

Meanwhile, in the productivity-obsessed business world, companies continue to spend aggressively to move into cloud computing. According to Gartner, the growth rate of corporate spending on the cloud began rebounding last year – up 16 percent to more  than $200 billion globally --  after slowing in 2015 and has moved beyond application testing to cloud-based applications and platforms.

Another report by McKinsey & Co. projects that the biggest gains in cloud computing going forward will come from historically change-resistant large enterprises. Based on a survey of 800 CIOs and IT executives worldwide, 77 percent of companies in 2015 used traditional IT infrastructure as the chief environment for at least one workload. In 2018, that will drop to 43 percent, the survey says. Concurrently, companies using the public cloud will grow from 25 percent in 2015 to 37 percent in 2018.

Separately, the major cloud purveyors – Amazon Web Services, Google and Microsoft -- have all been opening multiple data centers in Europe, not only to expand their market but also to satisfy security and privacy-oriented European companies that want to store information closer to home.

In another key cloud computing front – innovation – Amazon has just rolled out a new service to help protect customers against denial-of-service attacks. Far more significantly, major technology companies such as IBM and Microsoft and startups such as Fulton, Md., based Enveil are also working hard on the development of homomorphic encryption to push cloud computing privacy and security to a higher level. When enterprises need to process encrypted data today, it must first be decrypted, a major security vulnerability. Homomorphic encryption would allow data to remain encrypted while being processed, plugging this security hole.  

None of this should suggest that cloud computing customers can be complacent. In weighing the transition to cloud computing, they must have a clear understanding of potential security risks and set realistic expectations with their cloud provider. Failure to ensure appropriate security and privacy protection when using cloud services can lead to higher costs and the potential loss of business, eliminating any benefits.

Potential risks that must be addressed by customers in the cloud transition process include:

  • Making sure that none of the components of security fall through the cracks. Responsibility over aspects of security may be split between the cloud provider and the customer. Failure to allocate responsibility clearly could create security holes.
  • Making sure that your cloud service provider conducts thorough background checks on employees with physical access to data center servers. Also affirm that data centers are frequently monitored for suspicious activity.
  • Making sure your cloud provider appropriately protects the privacy of data subject to the legal requirements of regulation, such as The Health Insurance Portability and Accountability Act (HIPAA).
  • Making sure the identity of users is established with certainty. Remember that cloud resources are accessed from anywhere on the Internet. Strong authentication and authorization are critical.
  • Making sure that the cloud provider has appropriate certifications in place. Customer efforts to achieve certification may be futile if the cloud provider cannot provide evidence of its own compliance with requirements. There can also be problems if the cloud provider doesn’t permit audits by the cloud customer.
  • Making sure security breaches are handled professionally. The detection, reporting and management of security breaches may be delegated to the cloud provider, but these incidents impact the customer. Negotiate notification rules so that you are promptly and fully informed of problems.
  • Lastly, bear in mind you are tied tightly to any particular cloud provider, for better or worse. Applications and data across providers is not easily portable. Because it is difficult to switch to another provider, do everything possible to choose the right one in the first place.

It is obvious that the cloud, coupled with mobile computing, means that the IT landscape reaches far beyond an organization’s premises. This creates new security holes, and the explosive growth of IoT devices further compounds the challenge each and every day. The good news is that these challenges are hardly insurmountable. Strict attention to key details is a cornerstone of cloud computing security. 


Contributors
Robert Ackerman

Founder/Managing Director, AllegisCyber Capital, & Co-Founder, cyber startup foundry DataTribe

Privacy

cloud security privacy

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs