More and more companies are popping up that require their consumers to insert sensitive information into a cloud for safe keeping but is the cloud actually safe? This article will address that question and provide consumers some insight into steps they can take and what to look for to help ensure that their information is safe.
How Safe is the Cloud for Business Data?
If the concept of cloud computing is new please take a few minutes to check out my last blog, Climbing to the Top: Understanding Major Cloud Service Providers. It provides an overview of cloud computing along with some other helpful information. Okay, now back to cloud safety.
In general, the cloud is just as safe as a physical environment such as a standard data center as long as the proper controls are in place to safeguard information. The way cloud works is by using what is called multi tenancy. In cloud terms, this means that resources are shared by consumers as part of the software service. This usually includes the infrastructure where the software is stacked. As a result, the safety of the data is highly dependent on the controls and infrastructure in place.
What are Risks That Should be Assessed When Considering Using the Cloud?
A great resource to use when conducting cloud computing risk assessments can be found on the OWASP website. OWASP is a not-for-profit charitable organization. As stated by OWASP, they are “dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.” A list of security risks, pulled from the OWASP website, are below. Some context around each risk has been added for illustration.
- Inadequate Logical Security Controls: Because physical resources are shared among users, strong logical controls separating client environments is required so that clients in other environments cannot access each other’s data.
- Malicious or Ignorant Tenants: Weak logical access between environments can lead to clients exploiting that weakness and accessing sensitive information
- Shared Services can become a single point of failure: The use of shared services can cause an outage or disruption in service if not constructed to incorporate secondary network security devices such as firewalls or switches. Other clients can exploit these vulnerabilities which in turn can disrupt services.
- Uncoordinated Change Controls and Misconfigurations: Changes to the infrastructure or system can cause issues or a disruption of service if not tested.
- Co-mingled Tenant Data: Different client’s data can be mingled within databases to save money. The risk of data being seen by other clients becomes extremely high in these instances.
- Performance Risks: Because resources are shared, performance can be affected due to another client’s increased or spiked use of the service.
- Specific Risks to:
- SaaS: The entire stack is a shared resource for SaaS applications. The risk of data being co-mingled within the database can be high if special attention around logical controls which separate each client’s environment.
- PaaS: When using a PaaS, operations and patch management are shared among users. This includes vulnerabilities which can be exploited across all clients.
- IaaS: Similar risks found with IaaS as PaaS. Configurations that are not secure can affect the entire infrastructure, since the provider has no responsibility.
How is Data Kept Safe in the Cloud?
To address the risks identified above, there are a number of controls that should be implemented by the cloud provider to keep data within the cloud safe. A list of controls and added context is below.
- Architecting for Multi-tenancy: The infrastructure of the cloud should be built to support multiple clients. Controls should support logical isolation between client environments and redundancy in the network security and architecture to avoid a single point of failure.
- Data Encryption: Data at rest and in transit, especially sensitive, should be encrypted in its own database or backup storage. Additionally, client owned key management to encrypt or decrypt information is the most secure. This is because it eliminates the ability for the service provider from being able to access its client’s data.
- Data Transmission: Service providers should be using current protocols to transport data between the cloud and the client.
- Consistent Change Management: System or infrastructure changes can have a major impact on clients if the process is not formalized or implemented consistently. A controlled process allows the service provider to plan changes and notify their clients as needed.
- Administrative Access Rights: Clients should have the ability to view administrative rights into the resources they are using so they can track any changes within the entire stack (OS, network, application, database). While it is fine to have service providers working in an administrative capacity, transparency is necessary in tracking those changes in case there are any issues.
- Third Party Assessments: Third Party Assessments, such as a SOC report or other type of compliance report can be completed to get an independent opinion on the security of the system.
What Can I do to Keep my Data Safe in the Cloud?
Now that we have discussed the risks of cloud security and controls that should be in place to remediate those risks, we can now discuss those steps consumers can take to help ensure their data is safe within the cloud.
- Vendor Check: Always perform due diligence into the vendors being considered. For example, performing a google search to see if any reviews pop up can provide insight into their ability to provide a reliable service. Furthermore, always ask and follow-up on customer references.
- Sharing Computing Services: Understand what resources will be shared through inquiry and ensure agreements reflect what services should not be shared.
- Data Encryption: If data that is going into the cloud is considered sensitive, make inquiries into the process to ensure that it is encrypted in transit and at rest. This includes understanding the process into key management so that it is understood who has access to the data.
- Password Management: All users that can access the information within the cloud should be required to use passwords that are complex and long enough to combat against password guessing or, if available, multi-factor should be enabled.
- Disaster Recovery and Incident Management: Inquire into a company’s DR and incident management process. If issues come up, knowing that a service provider has a plan to cutover to another site or restore a backup will help provide comfort that data will be preserved. A notification protocol should also be a part of that process so that clients are aware of any major issues.
- Compliance Reporting: There are a number of different frameworks and protocols used by companies to incorporate security. A few examples include System and Organization Control (SOC) audits, HIPAA, HITRUST, ISO 27001 and the list goes on. These reports provide a lot of information about security and can be extremely helpful in determining which cloud service provider will be a good fit in terms of data security.
While risks around data security certainly exist, gaining knowledge of processes used and controls cloud service providers have implemented to remediate those risks can create an environment that is safe for all data. With that being said, the more sensitive the data, the more controls around security should be implemented. Overall, a cloud with controls around logical segregation, encryption, secure data transmission protocols, and password management create an environment where data is safe.
For more information on cloud service providers, risk management and compliance reporting, check out our other blog posts:
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.