The risks and mitigating them when moving to the cloud

By Shiv Dhillon, Chief Technical Officer and Russell Cozens, Technical Director of Tollring

Picture

Insecurity regarding the cloud starts with the process of making business decisions. In today’s world of analytics and business intelligence, fear plays a crucial role when making business decisions and it is this fear that drives insecurity.  One of the main ones is the fear of data being stolen – storage is a key cloud product and insecurity around data being stolen is quite genuine.

To be competitive, enterprises are striving to generate “Big Data” analysis. These enterprises spend large amounts of money and resources to congregate this data. It plays a vital role in business strategy and its overall operation. For these enterprises to have this stored outside their control (in the cloud) is unnerving.  And each time a major security story like the recent leak of nude celebrity photos occurs, these fears become a reality.

The fundamental issue here is, everything can be hacked and there is no such thing as 100% secure. Some of the biggest organisations in the world have been victims such as Microsoft Windows, Google’s Android, Apple’s IOS and even NASA.

Another factor is the marketing from cloud operators. They often focus on how the cloud can help businesses gain a competitive edge, save money, and turn profits through a wide variety of ways. There has been extremely little empirical research on comparing security issues of locally stored data with cloud storage. Security breaches in the cloud make headlines whereas local breaches go unnoticed.

The irony is that business vulnerability is often down to deficiencies in security mechanisms put in place for protection such as passwords and firewalls. Keeping systems up to date is critical but involves significant resource.  Here it is worth noting that specialist cloud providers employ teams of people who are dedicated to security.

Are these fears real?
Just recently, one of the major UK banks had data stolen by one of its employees who sold it to a law firm specialising in PPI claims. This is far more serious than a celebrity photo being stolen although it received little news coverage. And if we read through surveys where people are asked if they feel the cloud is secure, most of these poll results say over 80% feel the cloud is not secure.  The issue here is that the trend in the market does not stack up against this voting pattern. The real question that businesses need to ask isn’t ‘Is cloud storage secure?’ but ‘how secure is the cloud when compared to local storage?’

Some of the other fears are: fear of protecting yourself, fear of losing control and fear of the unknown. Although these fears have a lesser impact, they are quite genuine fears. The cloud is still new and there has been little focus on its governance. Just recently, the news featured a crying mother who found out that her deceased daughter’s photos on Facebook couldn’t be passed on to her. If these were locally stored photos on her daughter’s PC they would certainly belong to her mother, so why is the cloud different?

Governance and maturity of the cloud goes hand in hand and currently we are far away from even their initial destination.

Fear and risk taking varies across industries
Industry sectors vary in their adoption of cloud technologies. Certain companies and industries (the nuclear power industry and aerospace) need to be very risk-averse whereas other organisations and industrial sectors (innovation and design) can be risk tolerant and actually thrive by making risky decisions.

The attitudes to risk are built into an organisation’s DNA.  For example, the financial industry is tightly regulated and faces strong penalties for non-compliance.  In contrast, the retail industry can be more relaxed since it doesn’t have a regulatory body.  A recent research by Ponemon Institute found the majority of retail industry not complying with PCI DSS 3.0 (compliance for card payments), whereas the financial industry was forced to do this. As a result we see a more extensive adoption of cloud in retail than in the financial industry.

The reasons are based on the sensitivity of data rather than industry-specific. Finance and retail are two industries with the most sensitive of data yet are two of the most advanced in terms of cloud services with internet banking and shopping.

As familiarity grows and cloud applications become commonplace fear diminishes. For example, Office365 is becoming more and more familiar, yet it is a cloud application. Even so, consumers must be continually reassured of ongoing security measures to combat security breaches and fraud.

Top tips for mitigating risk

  • Select the right cloud vendor: Different cloud operators offer different layers of security and availability. Check the detail of their offering, for example, is 99.9% uptime over a month good enough?  Be wary of companies that host your server in their office, connected via the internet. 
  • Have a long term strategy: The cloud is not going anywhere so plan how and when to adopt it. Often the decision to move to the cloud is rushed e.g. a service requires a major upgrade and will cost money. A well-defined plan is important; not with the sole aim of reducing costs but instead the goal of improving the organisation.  The cloud offers pay as you use pricing and on-demand computing – it can enable a small business to challenge the biggest player in the market by going global in minutes. 
  • Consider the maturity of the cloud in your industry: Becoming an early adopter can be risky. Reduce risk by waiting for your industry to mature when it comes to cloud solutions.

AS PUBLISHED IN CLOUD SECURITY INTERNATIONAL