Cloud Security Pitfalls to Avoid

Cloud computing technology is fast becoming an attractive alternative to maintaining IT systems and applications on premise. In-house management and maintenance of IT is costly and resource-hungry. Small and medium-sized businesses in particular benefit from the way cloud services give them access to greater processing power and IT expertise than they could ever aspire to with the modest budgets and resources of their own.  Cloud computing also provides an opportunity for large organizations to enjoy economies of scale for the high data volumes produced by the many and various devices, operating systems and applications they use.

In some respects data in the cloud is covered.  By handing over responsibility for the day-to-day management of data to a cloud services provider (CSP), a business is free to focus on its core functions while teams of IT and data security experts take 24/7 care of any technical concerns. Having data sitting in someone else’s data center over the Internet instead of on IT systems in-house can also be an advantage – especially for a small business. Opportunities for thieves and hackers to steal valuable information are considerably reduced when on premise systems are kept to a minimum. Nevertheless, anyone connecting to the data in the cloud should still be using a VPN (Virtual Private Network).

Cloud computing is no different from any other kind of computing environment where security is concerned. It is open to an array of threats such as:

• Malicious external attacks – data breaches, account hijacking and Denial of Service (DoS) attacks are just as likely to occur to a Cloud computing service whose use of remote computers to perform parallel tasks is open to malicious infiltration at multiple points, especially if hackers manage to obtain credentials through phishing or other social engineering techniques to gain control over a user’s account
• Internal threats and hardware errors – unhappy employees or careless mistakes can result in data loss as can hardware failure
• Insecure APIs – Application Programming Interfaces (APIs) made available to integrators and developers to help them provide services are potentially accessible from anywhere on the Internet and if not properly secured could allow attackers to build their own application to manipulate customer data
• Service downtime – a major benefit of cloud computing is the promise of continuous availability of services and applications but outages, while rare, can and do happen so customers must maintain a business-as-usual contingency for this
• Lack of due diligence – failure on the part of the customer to ask the right questions up front can lead to a mismatch between what they think they are getting and what the CSP is actually prepared to deliver

Cloud service providers are IT experts and have the skills and resources needed to detect all of the above issues and prevent them from impacting on normal customer operations.  However, there are some additional precautions that cloud services customers should take to further minimize the risks. These include:

• Prohibit account sharing – implant a policy that prevents users sharing account credentials with one another or with suppliers  and supplement this with two-factor authentication processes
• Use Single Sign-on (SSO) – an efficient way to manage hundreds of user accounts, automatically removes access privileges when someone leaves the company and saves users from having to remember multiple passwords for access to different applications or services
• Ensure in-house operating systems and applications are kept up-to-date – discontinued software like Windows XP and outdated browsers, like Internet Explorer 7 have known security vulnerabilities that are a challenge to support
• Engage an IT auditor – Work with a third-party IT consultant to regularly audit systems and assure cloud security meets industry standards
• Undertake due diligence when selecting a CSP – review the CSP’s security history and references; ask about known security vulnerabilities and be sure the service agreement covers all important eventualities
• Implement end-to-end virtual private network (VPN) – to minimize risk data should be encrypted prior to upload, in transmission and while at rest

Organizations cannot rely on cloud services providers for secure data communications. The majority of CSPs take the view that it is the users’ responsibility to secure remote access to cloud resources. The easiest way to take protect access to cloud data is to use a location-to-location VPN tunnel. This type of VPN solution must be flexible for users to establish connections and support IPsec and SSL. It should also enable seamless roaming between various means of communication transport such as data networks and Wi-Fi. A comprehensive VPN solution also enables IT administrators to centrally manage all clients and components of the VPN infrastructure. Alternatively, CSPs will offer VPN as a Service (VPNaaS), making it even easier to manage remote connections without compromising security.

In summary, it is a common mistake to think of cloud computing as different from on-premise simply because the day-to-day responsibility for data communications is outsourced.  In reality one can never make that assumption. Most cloud service providers have a disclaimer in their SLA that holds the user wholly responsible for the security of their data. For this reason valuable data traffic should never be in open or clear text, it should be encrypted via a VPN.