Cloud Security: It’s in the Cloud - But Where? (Part I)

Monday, June 15, 2015

Steve Durbin


Organizations are becoming increasingly dependent on their use of cloud services for business benefit both internally and when working with third party suppliers across multiple jurisdictions. However, while these services can be implemented quickly and easily, organizations need to have a clearer understanding of where their information is stored and how reliable these services are. With increased legislation around data privacy, the rising threat of cyber theft and the simple requirement to be able to access data when you need it, organizations need to know precisely to what extent they rely on cloud storage and computing.

Benefits and Business Drivers of the Cloud

The benefits of cloud services are changing the way organizations are managing their information and using IT. Today, virtually every organization relies on a standard set of solutions to enable day-to-day operations. These solutions include outsourcing and cloud offerings - and its right that they should. There’s no point in re-inventing the wheel every time and it’s only normal to expect that the drive to cut costs and increase value will push non-core business processes out of the organization.


The business drivers for cloud computing – low cost, flexibility and almost immediate accessibility – are compelling to businesses and this explains why the adoption of cloud computing services is growing rapidly. The downside to the cloud is that it could leave organizations susceptible to cyber security incidents, including hacking and data leakage – along with the potentially significant hit to their reputation. Additionally, regulated firms face the risk of investigative and enforcement actions if their systems and controls, or their oversight and governance arrangements, are deemed inadequate to detect, protect against and manage cyber-attacks.

So what exactly is the cloud? Is it simply Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS)? For me, it’s slightly bigger than that. It includes all of the type of clouds - private, public, hybrid and community.

But it doesn’t end there, does it.

From a cyber security and perspective you need to include the access points as well. We shouldn’t forget the way that people are accessing the cloud. This includes mobile phones, laptops, tablets and even the new Apple Watch. If we look at it from that perspective, there are a lot more issues than just securing the cloud itself. This emphasizes the need for us to be prepared for the unexpected, and this preparedness comes from becoming more resilient.

How Much Control Do You Really Have?

Take a moment and think about how much control you actually have over a cloud provider or over your data when it is in the cloud. A good starting point that all businesses should put in place is to create a corporate policy. Do you have a strategy for using cloud services within your organization? Has your corporate policy been committed to by executive management? Furthermore, is your corporate policy consistently applied across the organization, if indeed you have one? There are a lot of questions here that you need to answer.

One that must be asked first is “what is the business problem that we’re looking to solve with the Cloud?”

Organizations are increasingly storing and processing sensitive data across multiple boundaries. This includes private, public and hybrid clouds, bring your own devices (BYOD) and with third party providers. But think about this for a moment. How much of your private data, shared with third party providers, has unwittingly been put in the cloud? They may have put it into the cloud, but are you aware and do you know where it is?

Against this backdrop, you still need to comply with your corporate policy as well as the privacy laws and regulations that have been put in place. Demonstrating that compliance can be difficult and the problem is exacerbated by the fact that some of the traditional information security protection methods you have in place may be rendered ineffective due to the lack of control you have.

Some of the key concerns around cloud are the lack of visibility into some of the security methods that are currently being used. The good news is that cloud providers have raised their game and this is an area that has improved over the past 18-24 months. The security is getting better. Another concern is about the potential for other users to access your sensitive data. How do you guard against co-mingling? Do you actually know where your data is going to be located?

In the end, it all comes down to location. Even though your data may be sitting in someone else’s cloud, the responsibility for the management of that information falls on you. You can’t outsource that responsibility. You need to know where the data is stored, how it is transmitted and how it is accessed. This is fundamental for putting cloud-based controls in place.

An increasing dependence on the integrity of the cloud, and the data being stored in the cloud, is causing more concerns. Service providers are becoming a clear vulnerability, leading to more and more security challenges due to an increased risk complexity related to the way that information is being managed in the cloud.

In Part II, I’ll take an in-depth look into how organizations can enable cloud resilience and the need to secure the cloud provider.

Cloud Security General HIPAA PCI DSS Infosec Island Budgets Enterprise Security Policy Security Awareness Security Training General Impersonation Phishing Phreaking Breaches CVE DB Vulns US-CERT Privacy Vulnerabilities Webappsec->General General PDAs/Smart Phones
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.