Cloud technology has improved dramatically but its security implications are once again under the spotlight. Is cloud allowing firms to keep their data safer, or exposing them to greater risk?
Recent revelations from National Security Agency (NSA) whistleblower Edward Snowden made companies aware that communications – such as those passing through cloud technology – could be subject to government surveillance. This is breeding paranoia and spurring many European firms to demand that their data storage be removed from servers hosted on U.S. soil.
These fears are supported by a recent report which concludes that rising levels of government surveillance is leading firms away from cloud computing. According to the report, the presence of automated hacking tools means that even a small number of improperly secured resources are certain to give hackers free reign on the network – and access to customers' private data – within minutes of an incursion.
There does not seem to be a fix-all solution – although some experts suggest the type of cloud used makes a difference. After all, a private cloud is likely to be more secure than a public one. On top of this, countries within the European Union (EU) are considering following the example of the French and adopting national clouds in the struggle to ensure data is protected.
Even with such measures in place, resisting government surveillance is futile, experts say. Whether private, national or public clouds are used, data will still be available to government spies – and criminals – if they really want it.
Currently, most cloud service providers are U.S.-based, which is leading some to roll out European-wide data centers, says Alvaro Hoyos, director, risk and compliance at San Francisco-based OneLogin, which provides single sign-on and identity management for cloud-based applications. However, he adds, because of the NSA revelations, there will always be a stigma – even if servers are not located in the U.S.
Therefore, it is wise to assume that if one is using communications technology, the government will intercept it, Mike Small, ISACA member and analyst at Kuppinger Cole, tells SC Magazine.
He advises firms to take a risk-based approach. “You have to understand what you are putting at risk and to do that, you need to understand your data,” he says.
If you approach it in this way, the cloud can be hugely beneficial to most firms, says Jamal Elmellas (left), technical director at London-based Auriga Consulting: “Cloud providers can offer a plethora of expertise. However, adopting the technology requires due diligence and governance. You need to read the small print.”
It's therefore important to ask the right questions. According to Elmellas, firms should ask if data is going to be available to local authorities and will it be at risk in certain parts of the world?
Other risk factors associated with cloud include decreased visibility and control. Adding to this, many firms new to the technology do not understand the division of responsibility between themselves and the provider.
“Providers may not allow customers to instrument their own cloud usage to the extent they would like, and they may not be able to provide logging and monitoring directly to those customers,” says Wendy Nather, analyst at 451 Research, adding that while the largest providers, such as Amazon, are working to increase both control and visibility options, “the smaller ones haven't worked this out yet.”
Companies need to acknowledge the shared model between themselves and the provider, agrees Stephen Coty, chief security evangelist for Houston-based Alert Logic, which offers security-as-a-service in the cloud. “Number one is understanding that, and two is being aware of the security offering. Look at what the offering is and ask the right questions,” he advises.