When Cloud meets Cyber?
Cloud is a hot topic and so is cyber security. What happens when the two meet?
The popularity of cloud computing continues to grow. One recent report found that 92% of organisations now use at least one public cloud. Amongst the reasons for this are savings in time and money, and the ability to access systems from anywhere that is internet-connected.
In essence, cloud is a simple concept – running your systems on someone else’s computers. And thinking about it in these terms helps to clarify the cyber security issues, for example
- where is the data?
- how is the data accessed?
- who is responsible for security?
Where is the data?
It’s in a data centre “somewhere”. But that could potentially be anywhere in the world. It is important that cloud customers understand exactly where their data is, and also where it might be moved if its usual location were to become unavailable. Location may affect compliance with legislation, such as data protection, and the legal jurisdictions within which the cloud provider operates may also be a concern for some organisations.
Increasingly, cloud providers are offering assurances that data will remain within the UK, sometimes at an additional cost.
How is the data accessed?
Typically, customers access cloud services via the internet and this raises several questions. How stable and reliable are the connections between the business and the internet? Is there a risk that internet connectivity could be unavailable for a period of time? Would the business be able to operate during that time without its cloud-based applications?
It is also important, if access can be gained from anywhere with an internet connection, to ensure that user accounts, especially administrator accounts, are protected by passwords that are difficult to guess. Two factor authentication may also be appropriate. And file permissions are another area to consider. They need to be set correctly if private information is not to be accidentally made public.
Who is responsible for cyber security?
Every cloud provider operates a shared responsibility model for cyber security. The provider is responsible for some elements of security. The customer is responsible for other elements.
For example, in an Office 365 environment, Microsoft operates and secures the infrastructure. It also provides application controls to help customers protect their information. The customer in turn is responsible for configuring these controls to secure their data. The customer is also responsible for the security of the endpoints from which they access the data.
It is vital that the customers of any cloud provider have a clear understanding of where these responsibilities lie. This enables them to confirm both that the provider is meeting its commitments and also that they, the customer, are meeting theirs. I know of one business where security patches were not installed for a period of time because it had mistakenly been assumed that patching was the cloud provider’s responsibility.
What’s the bottom line?
In summary, the same cyber security principles should be applied to the cloud as to any other environment. Controls should be implemented based on an assessment of the risk, and checks made to ensure that security is correctly configured with nothing being overlooked or falling into a gap between supplier and customer.
The good news is most cloud providers present a wealth of information on their security accreditations, their certifications, and the controls they have in place. And many offer a level of cyber security well beyond what most of their customers could afford to implement in-house.
For most organisations, there is no reason why cyber security should prevent the adoption of cloud computing provided the issues described in this blog are acknowledged and addressed.
If you would like a security assessment of your current or planned cloud environment, please do not hesitate to contact us. We will be delighted to help.