You may have heard that cloud computing is the best way to protect and manage your company’s cyber security. You may have already jumped on the trend. All of your important data, your platform, and your software can be snugly ensconced in a cottony, protective cloud. But cloud computing has its own vulnerabilities, so taking steps toward managing risk for cloud computing is critical for businesses of all sizes.
Put simply, cloud computing is the delivery of computing resources, such as data storage, software applications, and platform maintenance, over the Internet, usually on a subscription basis. The cloud started out as simple data storage but has expanded to provide many types of computing services, including software as a service, infrastructure as a service, and platform as a service (commonly referred to as SaaS, IaaS, and PaaS).
Public, private, and hybrid clouds are the three primary forms. A public cloud is a set of hardware, networking, storage, services, applications, and interfaces owned and operated by a cloud service provider (CSP) for use by consumers under user contracts. A private cloud consists of hardware, networking, storage, services, applications, and interfaces owned and operated by an organization for the use of its employees, partners, and customers; it may be created and managed by a CSP. Most common is the hybrid cloud, a blending of private cloud capabilities with public cloud services. This article addresses managing risk for cloud computing for public and hybrid cloud models.
Cloud computing is one way to manage cyber security threats for small businesses, including cyber attacks. But cloud vulnerability presents its own risk.
The Hows of Managing Risk for Cloud Computing
As cloud computing continues to explode, with even the federal government aiming to get all federal agencies operating in the cloud, the security risks are expanding and changing. The non-profit Cloud Security Alliance offers an annual report ranking the top cloud vulnerability threats according to a survey of industry experts. The August 2019 report noted that previous areas high concern—denial-of-service (DoS) attacks, weaknesses in shared systems, and problems with data loss and vulnerabilities at the CSP level—had been dropped from the 2019 list. But new issues include “potential control plane weaknesses, metastructure and applistructure failures, and limited cloud visibility,” which the Cloud Security Alliance considers more nuanced and mature concerns.
The continued explosion of cloud computing and its applications and the addressing and resolution of some risks mean that the cloud vulnerability threats discussed today may not be the same ones your business will face tomorrow or next year.
Identifying Vulnerabilities and Managing Risk for Cloud Computing
Data breaches remain a top risk for any organization, especially those subject to regulatory oversight that may subject them to substantial fines for such security failures. And any business fears the legal liability, financial devastation, and loss of customer trust and valuable intellectual property that can result from a data breach. Sending correspondence, notes, and draft documents to clients via a third-party manager and storing these and other records on cloud servers could open company and client information to exposure.
Similarly, cyber attacks remain high on the list of security threats for small businesses that are associated with cloud computing. Why should a hacker focus on one company, when a cloud attack could open the door to the information of hundreds or thousands of companies?
Access management presents another risk of cloud computing. When your data was nestled in that hot, mysterious closet on the third floor of your office building, you knew who had a key to that physical door and who had passwords to access it. With cloud computing, that control is lost.
Additional risks in cloud computing involve the cloud computing architecture, including on and offsite hardware, middleware, and software as well as the interactions and relationships between those components. Each piece of the architecture presents a separate gateway through which a hacker may gain entry or through which data and processes may otherwise become insecure. The geolocation of cloud services refers to the physical location of the machines providing services or holding data. (Hint: it isn’t actually in a cloud in the sky.) A CSP may have multiple storage locations across the globe, and, for security and/or regulatory reasons, it may be important to your business where that location is and that it not be changed without your knowledge and consent.
Another and somewhat related concern for cloud computing consumers is visibility. For example, the consumer may not be able to observe or manage the geolocation of its data. It may not be able to observe or manage the volume of use or the users of its data and services. The consumer does not see and cannot control who within the CSP has access to its data and services.
Is Your Cloud Service Provider Doing the Job?
Cloud service providers tout security as one of the top reasons for cloud migration and will provide lots of examples of why cloud security for small and medium business is vastly improved over traditional models. In some respects, this is true. The firewalls, access sophistication, and continual updating and monitoring inherent in the cloud environment are generally far superior to the static, rarely updated security measures in place in that room on the third floor of your building. But, as indicated, cloud vulnerability presents different risks. Businesses are generally not familiar enough with these additional dangers to even ask about them.
The cloud computing environment represents a sharing of responsibility for managing hardware, software, applications, processes, and data; it also requires sharing responsibility for managing risk for cloud computing. No matter how ironclad a CSP’s firewall is, a business’s lax management and control of passwords and access will create significant cloud vulnerability.
While CSP contracts may provide certain security assurances, they also may include disclaimers and other risk-shifting provisions that leave the business unprotected in the case of a security incident. Businesses should be aware of how risks and responsibilities are contractually allocated and take steps to fulfill their side of the security equation.
Allocating Risks and Monitoring Solutions
The architecture of a business’s cloud presents both a risk and a solution. Zero trust architecture (ZTA), for example, involves network security paradigms that narrow defenses from wide network perimeters to individuals or small groups of resources. The federal government’s National Cybersecurity Center of Excellence is developing architecture solutions with industry partners to help businesses interested in better managing risk for cloud computing.
Geolocation issues are also being addressed by the National Cybersecurity Center of Excellence, again with industry partners, with the project Trusted Geolocation in the Cloud. This project has developed multiple steps for ensuring accurate geolocation reporting, among other security measures.
Access issues are a shared responsibility. Your business should shoulder its side of this responsibility by developing the most secure access controls and protocols possible within the business model. The National Cybersecurity Center of Excellence recommends adoption of attribute based access control, using commercially available products that can synchronize with the business’s existing infrastructure. Such control assures a granular approach to security threats for small businesses, granting appropriate permissions and limitations for the same information system for each user based on individual attributes.
Understanding areas of cloud vulnerability and how to address them can help your business remain digitally secure. Businesses can explore further options for managing risk for cloud computing with an IT professional for SMBs, or read more articles on SMB IT.