Understanding the Security Risks of New Cloud Software

Cloud computing provides businesses with quality solutions for their IT needs, as well as substantial cost savings over purchasing and maintaining their own hardware and software. Cloud services are generally pay-as-you-go solutions that offer flexibility and are scalable to business growth. With rising competition among cloud providers, customers benefit from falling prices and improving services. However, some concerns about cloud security risks appeared early in the industry and are still relevant today.

Exposed Data Transfers

All information traveling between your company network and the servers of your cloud provider exists, if only briefly at times, on the internet, where it could possibly be captured by malicious computers. Both providers and customers must ensure that all data transfers occur over secure channels. You should only connect to URLs beginning with "https", a more secure protocol than traditional "http" sites. In addition, all data should be encrypted before you send it, then authenticated at endpoints by the latest standards, such as IPsec or PAP.

Data Breaches

Over 886 million data records have been compromised over the last decade. Public perceptions of high risk could create severe problems for companies. Your data should be securely stored on the provider's computers—not only in database or file storage, but in application processing. In the past, most cloud services have provided encrypted data storage, but few took measures to ensure that data is also protected when in use by applications. This is a favorite weak spot for hackers to exploit, particularly user account information. Even "deleted" data may be exposed if the encryption keys are not also deleted.

Separation of Data

Cloud services generally operate on a shared-resource basis, as many of their small business clients have limited needs and it would not be cost-effective to isolate their data in separate environments. The more user accounts that share the same memory and OS resources, the greater the chance of introducing malicious code. The Cloud Security Alliance has warned in the past that hackers are focusing efforts on the vulnerabilities of shared computing. Although software like hypervisors can create and manage separate virtual environments, it's important that cloud providers ensure some level of compartmentalization so user data or applications aren't compromised by malicious software.

Access Control

Data stored with a cloud provider could possibly be accessed, or left exposed, by the provider's employees, whether accidentally or with malicious intent. You have none of the access control that you would have within your own company. You should always consider the sensitivity of the data you're sending over the cloud, as well as the level of risk in terms of how much damage it could do if this information is stolen. Providers should observe strict physical security, employee screening, and minimal access permissions even on their own premises.

Sophisticated Attacks

Modern cloud landscapes face inevitably more sophisticated attacks. Organizations are losing 7.6 percent of their revenue due to identity fraud. The code they use is designed to escape detection by common anti-malware solutions and can lie dormant for days or weeks until an opportunity presents itself. In recent years, attacks have focused less on data theft than on denial-of-service attacks. This "ransomware" prevents access to your own files until the hackers are paid to release the data. Evolving threats call for more advanced solutions. Security companies like Blue Coat and Symantec have focused their efforts on advanced threat protection that integrates both local and cloud services into the same comprehensive security policy.

Many cloud providers might point out that most of these vulnerabilities can exist on the client end. It's important not to place complete reliance on the provider's security measures without implementing your own. Not all cloud services are the same. No provider—at any price—can guarantee 100 percent protection, particularly if you don't have good security policies in effect on your own network.

In spite of the risks, cloud computing offers many advantages that shouldn't be dismissed. The key is to do your own thorough research on each of those risks, then put the proper failsafes in place to protect your data. By following secure protocols and installing the proper security measures, you can take advantage of the new cloud tools that are regularly released while keeping your data secure.

Follow Me

Carol M. Evenson

Data Security Consultant at Evenson Corporate Consulting
Carol Evenson is a data security consultant specializing in cloud management and process analysis. She currently assists organizations within the continental US and UK.
Follow Me
About Carol M. Evenson

Carol Evenson is a data security consultant specializing in cloud management and process analysis. She currently assists organizations within the continental US and UK.

Leave a Reply