Security and privacy in the cloud

Myths perpetuate, but your internal processes cause the biggest risk in cloud services

Cloud services: the future of computing and service provision or simply one more headache? If you read enough press, you’ll be convinced that both are true. In reality, when you remove the opinions and biases, the truth is in between, but probably not in the way that you would expect.

The benefits of working in the cloud

There’s no doubt that provisioning services from the cloud gives businesses agility and an ability to scale that hasn’t been available previously. As Joe Slaughter, International IT Manager of Pure Fishing, quite rightly states:

“Cloud services are the classic ‘let’s start this again’ heal all for aging infrastructures and traditional IT environments. Like the data center revolutionized network stability, the cloud services are revolutionizing the way we think about storage and enterprise level data. For me the cloud portal apps are a way for us to cut our license costs for core products and speed up the abilities of users to access their data. It sounds simple, but just stripping out the VPN requirements for access makes the user experience a slicker and more inviting one.”

By moving the responsibility for infrastructure and provisioning out into the cloud, businesses can concentrate on their core activities – making and running a successful company.

But it’s in this divestment of responsibility that the dark side of cloud services raises its head, specifically around two main areas: security and privacy. But don’t believe everything you hear.

Myth 1: The cloud isn’t secure

The cloud isn’t secure? What do we mean by security in this case? If it’s access to the hardware, then I guess not having the machines in your server room does mean they’re out of your sight. You won’t have the ability to peruse the server access logs to see who’s gone in and out…

Really?

The fact is that most companies now outsource hosting facilities for at least part of their infrastructure to an external hosting company. In those cases, that level of control is not available, either.

So, is it the level of security around the software? Are we worried that the systems won’t be patched to a secure level?

Servers owned and run by a cloud service provider are much more likely to be patched to a secure level than those sitting within a company owned server. Cloud providers build from a secure and well-tested base image and will roll out patches automatically.

Myth 2: My data isn’t safe in the cloud

Not having control of your data scares a lot of companies – and it’s an understandable concern, as the pressure of complying with regulations such as Sarbanes-Oxley and a raft of other policies that require you to keep records securely for a long length of time is considerable, and the effects potentially far reaching. Control of data is an imperative for today’s organizations. As applications and services move into the cloud, surely this becomes more of an issue?

There are examples of this kind of data loss: bookmarking service Ma.gnolia famously lost all of its users’ data overnight in catastrophic server failure in 2009. It finished the service – it never went back online – and they were unable to recover the data for the majority of users. Even Google had a bad day on February 28, 2011, when it discovered that a software update had deleted email from a large number of user accounts.

Sounds bad, but in fact, there are lessons here.

Ma.gnolia had scaled fast, as users turned to its service from competitor Delicious. In doing so, they chose not to move the hosting to a scalable cloud provider, and instead tried to manage half a terabyte of data on a standalone do-it-yourself server.  It was a harsh lesson learned.

As for Google, by March 1, they had restored the majority of users’ email, with the last few accounts following in the next few days. A combination of cloud-based and tape backup solutions had resolved the issue. The only delay was caused by the resolution of the bug that had caused the data loss in the first place. Google’s data centers are its lifeblood; as a large-scale service provider, they had the processes and infrastructure in place to resolve the problem quickly, unlike Ma.gnolia.

Data analysis from backupify – a backup service for cloud-based apps – showed that of the data loss incidents reported, exactly 0% were Google’s faults. 63% were due to user error.

The truth of the matter

So cloud services can be advantageous, but come with some risks – that would be the takeaway. But it’s not as simple as that. Ian Minors of Mundipharma IT Services:

“Within cloud services, especially in a collaboration situation,  it’s likely that copies of documents will be downloaded to local storage either intentionally or unintentionally, thus the technical implementation is not likely to be the limiting factor from an information control or privacy point of view.”

And there’s the real crux of the issue when using cloud services: as we saw above, it’s very rare that the problem is with the cloud service itself. It’s much more likely that the issue will come from your internal processes.

When mitigating risks associated with security and privacy, it’s important that we start by looking at our own controls. How do you control accounts? What do you do when a user leaves or joins your organization? How do you secure end users’ machines? How do you control and enforce policy around data security? Do you have a data security policy? If a laptop is stolen, how do you deal with the situation?

The issues that surround cloud services are no different than the issues that are already present within our businesses today; we are simply accessing the services in a different way. Security and privacy are a joint responsibility between provider and consumer and if we want to take the benefits of cloud services, we have to be willing to update our processes to the new working paradigms.

Have you embraced cloud services? How have you adapted your processes to the new environment? Have you changed your attitude to privacy and security? Let us know in the comments.