What is cloud security?
Storing data in the cloud has many benefits, but failure to secure it can lead to very real consequences
The value of data to modern businesses can hardly be overestimated. For some, data insight is what drives their success, for others, it's their most valuable commodity.
The amount of data available is hard to store and process on-premise, though, which is what has driven the popularity of the cloud. With cloud storage services like AWS, Google Cloud Platform and Azure, as well as cloud software products like Salesforce and Workday, even the smallest businesses now have access to analytical tools that were previously only within the reach of the very largest banks, retailers and the like.
While this is extremely useful, it presents a new problem from an information security point of view: How to secure all this data when it's located in the cloud and, increasingly, scattered across several services.
This is where cloud security comes in. Also known as cloud computing security, it consists of a set of controls, procedures, policies and technologies that work to protect your cloud-based systems and infrastructure.
Here are some of the threats facing your data in the cloud and how cloud security systems can mitigate them.
What is cloud security?
Cloud security is the protection of data, systems and applications that an individual or business keeps within the cloud, whether that be public, private, or hybrid. This could include implementing tools such as firewalls, VPNs, password managers and other controls that regulate access to data.
This is because it's not the cloud itself that needs to be secured, but the various points of entry there are, be it through login credentials for an app or restricting the number and variety of devices that can access the data stored there.
Why is cloud security important?
Cloud security is important because the information your business stores in the cloud is often highly valuable, particularly if it's customer data. AI technologies, targeted ads, prediction models with machine learning, they all require data, large swathes of it, and if your cloud isn't secure your data could be accessed by an unauthorised and potentially malicious third party.
What's more, not having a suitably secured cloud will leave your business in violation of GDPR, which came into force in May 2018. If a company is found to be in violation of this regulation and suffers a breach, it could face a potential fine of up to 20 million euros or 4% of global turnover whichever is higher.
The mere fact that your data is sitting on somebody else's infrastructure is no excuse, either. If you didn't take reasonable steps to secure the information stored on the cloud yourself, you could still be found in breach of GDPR.
In 2017, the US National Security Agency (NSA), part of the country's defence department, had 100GB of sensitive data exposed through poor security practices. An image of a virtual copy of one of its hard drives was left unprotected on a public Amazon S3 server. Anyone who knew the web address where the data was stored could freely access it, causing considerable embarrassment for an organisation that deals in security.
This isn't an isolated incident either, as unsecured S3 buckets are frequently at the centre of significant data breaches. In the same year, at least two million Dow Jones customers had their personal details exposed on the web in the same way.
Worse, this type of breach is also still happening. Security firm UpGuard revealed IT services firm Attunity had left at least 1TB of data belonging to high profile customers such as Netflix and Ford in several unsecured AWS S3 Buckets.
"If the right-hand does not know what the left hand is doing, the entire body will be injured," said UpGuard cyber resilience analyst Dan O'Sullivan. "The Defense Department must have full oversight into how their data is handled by external partners and be able to react quickly should a disaster strike."
None of this is to say you shouldn't use the cloud at all in fact for most businesses some of the larger providers will likely have significantly greater resources for securing data than they could ever reasonably have.
However, as the examples above show, just opting for a well-established service cloud doesn't mean you can just sit back and do nothing. The responsibility to secure cloud environments still rests on the shoulders of the businesses using the platform. To ensure your cloud-hosted data is as safe as possible, there are some best practices you can follow.
Firstly, it's important to establish who can access your resources and from where. Responsibility for this rests squarely with the IT department and it's a good idea to give a couple of team members dedicated responsibility for this task.
Blanket policies for access are also a bad idea. Security parameters should be set by role, so only those who need to can make changes to a data record (such as a database) and who only has viewing permissions -- and who has no access rights at all.
Secondly, while cloud computing enables access from virtually anywhere, it doesn't mean that should be the case. Measures should be taken to ensure only certain information can be accessed if the user is connecting via public Wi-Fi, for example, and it's also a good idea to restrict access for unrecognised or unsanctioned devices.
It's also important to decide what is most valuable to your organisation. It's not wise to protect everything with the same controls as it won't be an effective use of your resources. Instead, it's advisable to focus greater security on the data that really matters.
Finally, do remember to ensure the data you store in the cloud isn't accessible via the open internet for anyone and everyone to see -- your cloud provider will have information on how to do this if it isn't a default setting.