Think your data is safe on the cloud? Don’t let your guard down just yet
CLOUD services have become an efficient and reliable way for organizations of all sizes to deploy business applications, run collaboration platforms, and store data. Software-as-a-service (SaaS) solutions have become so accessible that almost anyone can start at entry level and scale all the way to enterprise level.
However, even though cloud service providers promise certain levels of security, this does not necessarily mean that you are out of the woods when it comes to digital threats. Even platforms as secure as, say, AWS, Azure or Google Compute, there are a myriad of risks involved with having all of the infrastructure controlled by one service provider – drastically different to running an on-prem(ises) system, which you have 100 percent control of.
According to independent analyst and consultancy firm Ovum, 90 percent of global enterprises that utilize the cloud have expressed concern about the security of their infrastructure. Another concern is the lack of visibility and transparency (perceived or otherwise) in terms of the security measures enforced by service providers.
Some issues include:
Bring-your-own-device (BYOD) is a popular and growing trend among organizations. In Asia Pacific, about 72 percent of businesses allow employees to bring their personal laptops, smartphones and tablets for use as work devices. The trend is picking up faster in emerging economies, since such smart devices are cheaper and more accessible than desktops.
Most businesses enforce their own BYOD policies to define standards and to prevent misuse of company data and resources, including administrative control over devices. However, cloud-based accounts are more difficult to manage, especially since data is located in remote servers. In addition, device management might not be as straightforward as an on-prem enterprise setting.
Another concern with BYOD and the cloud is the unfettered access to data. Employees can simply access their work data even outside of office premises. True, one of the main advantages of BYOD is enabling people to work together outside of the confines of an office building, but users may also be synchronizing work data from untrusted devices. This can be risky, especially if data is accessed over public terminals, or if devices get lost or stolen.
One solution here is to enforce a more secure end-to-end protection that actively audits data downloaded or used on someone’s device.
Another source for concern among enterprise cloud users is the potential for data leakages. Even with encrypted connections, there is always the risk that a malicious hacker can take advantage of vulnerabilities between an endpoint and the cloud service.
For example, hackers have successfully exploited man-in-the-cloud (MitC) vulnerabilities, which enabled them to illegally gain access to Box and Dropbox file-sharing accounts. With MitC, the attacker essentially exfiltrates tokens issued by the cloud service provider to gain access to accounts even without knowing login credentials.
Since MitC involves harvesting such tokens from data transferred through the cloud, organizations should closely evaluate any application that transfers data to third parties and monitor these for suspicious activity.
As with any security, strength is only as good as the weakest link. With a cloud deployment, people can still be the most vulnerable point, especially when users are prone to social engineering attacks.
This could include phishing or spoofing, which can harvest valid user credentials. Such confidence-based fraud can give hackers the keys to the kingdom, so to speak. A user with high-level access could give away his or her password unwittingly, thus leading to data breaches.
Cloud apps are particularly prone to such attacks primarily because they are globally-accessible, unlike on-prem applications, which usually require either a VPN or a more direct connection. And since IT managers don’t usually have direct control over certain administrative functions, addressing these concerns will require close coordination with the service provider.
One possible solution here is to use two-factor authentications in user logins, to help prevent unwanted access. Another safeguard would involve training users to be more discerning, so they don’t fall victim to such attacks.
Cloud security should be a shared responsibility between the service provider and IT department, especially if it is meant as an enterprise-grade offering. Organizations will need to leverage tools and platforms that give better control over their data and who is allowed access. Since the human factor is an added vulnerability, businesses will need to educate users on proper safety and security measures while using cloud apps.