Cloud technology has improved dramatically but its security implications are once again under the spotlight. Is cloud allowing firms to keep their data safer, or exposing them to greater risk?
Recent revelations from National Security Agency (NSA) whistleblower Edward Snowden made companies aware that communications – such as those passing through cloud technology – could be subject to government surveillance. This is breeding paranoia and spurring many European firms to demand that their data storage be removed from servers hosted on U.S. soil.
These fears are supported by a recent report which concludes that rising levels of government surveillance is leading firms away from cloud computing. According to the report, the presence of automated hacking tools means that even a small number of improperly secured resources are certain to give hackers free reign on the network – and access to customers’ private data – within minutes of an incursion.
There does not seem to be a fix-all solution – although some experts suggest the type of cloud used makes a difference. After all, a private cloud is likely to be more secure than a public one. On top of this, countries within the European Union (EU) are considering following the example of the French and adopting national clouds in the struggle to ensure data is protected.
Even with such measures in place, resisting government surveillance is futile, experts say. Whether private, national or public clouds are used, data will still be available to government spies – and criminals – if they really want it.
Currently, most cloud service providers are U.S.-based, which is leading some to roll out European-wide data centers, says Alvaro Hoyos, director, risk and compliance at San Francisco-based OneLogin, which provides single sign-on and identity management for cloud-based applications. However, he adds, because of the NSA revelations, there will always be a stigma – even if servers are not located in the U.S.
Therefore, it is wise to assume that if one is using communications technology, the government will intercept it, Mike Small, ISACA member and analyst at Kuppinger Cole, tells SC Magazine.
He advises firms to take a risk-based approach. “You have to understand what you are putting at risk and to do that, you need to understand your data,” he says.
If you approach it in this way, the cloud can be hugely beneficial to most firms, says Jamal Elmellas (left), technical director at London-based Auriga Consulting: “Cloud providers can offer a plethora of expertise. However, adopting the technology requires due diligence and governance. You need to read the small print.”
It’s therefore important to ask the right questions. According to Elmellas, firms should ask if data is going to be available to local authorities and will it be at risk in certain parts of the world?
Other risk factors associated with cloud include decreased visibility and control. Adding to this, many firms new to the technology do not understand the division of responsibility between themselves and the provider.
“Providers may not allow customers to instrument their own cloud usage to the extent they would like, and they may not be able to provide logging and monitoring directly to those customers,” says Wendy Nather, analyst at 451 Research, adding that while the largest providers, such as Amazon, are working to increase both control and visibility options, “the smaller ones haven’t worked this out yet.”
Companies need to acknowledge the shared model between themselves and the provider, agrees Stephen Coty, chief security evangelist for Houston-based Alert Logic, which offers security-as-a-service in the cloud. “Number one is understanding that, and two is being aware of the security offering. Look at what the offering is and ask the right questions,” he advises.
As part of this, it’s essential to look at disaster recovery options. “You need to treat the cloud as an extension of space,” says Coty. “You need to put in intrusion protection on top of firewalls. Treat it as you would your enterprise environment: layering and covering your apps.”
But public clouds are coming under increasing scrutiny, especially for firms that look after sensitive data. Public clouds allow data to reside anywhere globally, putting firms at the mercy of local legislation. “You have far less control in the public cloud,” Elmellas says. “Even less if you are using widely available tools such as Amazon and Google, as you are buying into a mass-produced product. You won’t have the availability and jurisdiction of private cloud.”
For example, adopting a private cloud allows firms to have a say in which country data will be stored in. “If you develop engine components for fighter jets, you don’t want data in China,” says Elmellas. “You want to have a say in where your data sits, as governments may have access to it.”
Then there is the concept of national clouds, the idea of keeping data in a chosen country or region. A “European cloud” has been talked about, while the French have a “sovereign cloud” scheme, which actually pre-dates the NSA revelations. Meanwhile, the German government has gone so far as to declare it will no longer work with companies that hand data over to any organization that cannot guarantee data is beyond the reach of foreign services.
But national clouds don’t make a huge difference when it comes to NSA initiatives such as warrantless surveillance, says Junaid Islam (left), president and CTO at Vidder, a Campbell, Calif.-based managed services provider, and co-chair of the CSA SDP Working Group [The Cloud Security Alliance/ Software Defined Perimeter]. “The issue in the U.S. was about getting information without a warrant and you can do that anywhere in the world. There is a disconnect between the problem and the solution.”
It’s easy to penetrate a server within a national cloud because it poses “little obstacle,” says Sean Sullivan, security adviser at F-Secure, a computer security company based in Helsinki, Finland. “It is better to store data in a secure and encrypted way and locate it where it’s most cost effective.” Also, he says, data may be at risk of natural disasters as data centers can be flooded, burned or damaged. “Smaller countries might not feel that’s a good bet.”
Further, national clouds will never be as efficient and cost effective as other varieties, Elmellas says. “If there’s a pool of resources that are only used between 9 a.m. and 5 p.m., then it will be static the rest of the time. If cloud is being used 24 hours a day, those resources are being re-used and re-deployed. That processing power is constantly being used.”
Public clouds have evolved a lot in the last two years, says Islam. The newer ones are sophisticated in terms of features and can provide the same functionality as a private cloud, he says. “You can set specific networking policies, you can build in your own encryption and they have a whole set of tools to monitor the progress of the system.”
This is leading some firms to offer a bare metal build to customers, he says. Others are adding more software tools to ensure integrity. “The importance of secure networking and data encryption has grown over the last year,” Islam says. “There is a difference between public and private clouds, but the gap is getting smaller. The toolsets are similar.” One of the beauties of public clouds, he points to, is they have data centers with redundant connections between them. It’s difficult to have this scale on your own, he says.
Meanwhile, there has been a growth in start-ups specializing in cloud application control, says Nather (left). This gives enterprises more control from outside of the provider’s network. “They offer fine-grained views and policies over how an enterprise uses SaaS applications, for example, and some may cover gaps in the provider’s security, such as forcing encrypted connections.”
Another area of expansion is so-called compliant clouds, where providers specifically offer a level of security and reporting that corresponds with requirements such as PCI-DSS or those from the government. “There are also providers specializing in high-security cloud environments, where tenants are more restricted in what they can do, but are willing to make the trade-off for higher levels of assurance,” Nather adds.
Or, firms can adopt the hybrid model, where some data is kept offsite and some on-premises. “Government and its suppliers prefer this method,” says Elmellas. “If you are concerned and you have money, you might keep that in-house and then farm out apps.”
The consensus, then, is to not shy away from cloud. Its functionality far outweighs the risk, our experts concur. Firms must make certain they ask the right questions of their provider, as well as putting in place the appropriate security measures, such as encryption. After all, it is the company that is responsible for its data.
There is no silver bullet to prevent the government accessing data, Elmellas says. “Yes, you can put data beyond the reach of certain governments, but if they really want access, they will get it. All you can do is increase the amount of effort required to access that data.”
A version of this article originally appeared in SC Magazine UK.