When your data and files are going to be ‘up there somewhere’, it’s only normal that you’ll want to think security in the cloud. You could of course adopt the strategy of never betting more (data) than you can afford to lose. However, the cost reductions available and the massive move of your competitors to the cloud may force you to use rather more of it than you anticipated. Gotta keep up with the neighbors, right? Well, it turns out that the applications you live next to in cloud computing can also be a source of security risk for you…
1. Not So Nice Neighbors Depending on what kind of cloud computing you want to do, other customers may affect you in a couple of ways. For example, if a multitenant cloud database is not properly designed, a flaw in somebody else’s application may open the door for a hacker to everybody’s data in that database. At another level of sophistication, virtual machines running on the same hardware can spy on each other (‘side-channel analysis’) to pick up information on the cryptographic key being used by the other VM. This requires a high level of hacking skill, but it has been shown to be doable.
2. Hijacking So you thought it only happened in airplanes? Now, with the cloud you too can be hijacked. If a hacker can obtain your account and login information, then that person (or entity) can listen in to your business, hack your data, forge results and redirect your own customers to sites chosen by the hacker. Does a hacker need amazing technology to get your connection credentials in the first place? Not necessarily. Phoning your IT department and pretending to be your cloud provider who ‘needs to run a test’ is sometimes all it takes.
3. You Want Me to Leave My Keys with YOU? Sure. We, your friendly cloud service provider, can offer you industrial strength encryption within our systems and nobody else will be able to see your data. Unless it happens to be people like the government who can lean on us and force us to reveal all your data to them. In other words, the problem is not in the encryption itself, but in the location and management of the encryption key. This situation is not helped by statistics that indicate that insider attacks are also a significant threat in cloud provider establishments. Encrypting your data yourself, either before you send it or as it is generated in the cloud, may be a much safer way to handle things.
The Flip Side of Cloud Computing Security (the Good News)Undeniably, the cloud introduces new security risks. Besides the three above, we could add others due to vulnerabilities in the APIs used by customers to transfer data and management applications in the cloud; or the possibility that a cloud provider goes out of business, taking your info and apps with it. However, cloud providers with a solid reputation tend to have reasonable IT security standards, both at physical and logical levels. In fact, compared to many on-premises computing installations, cloud providers that diligently maintain the protection of their systems may simply be safer when all is said and done. It’s a tradeoff to be thought about. For some enterprises, the most effective security upgrade they could make might still be to stop doing their IT on their site and start doing it in the cloud.