Beware of Public Cloud Threats, Experts Warn
“The public cloud is a veritable data war zone,” writes Sophos, a tech security firm, in their latest cloud security report.
For years, the debate on public vs. private cloud has rivaled that of politics, with fierce advocates on both sides. Security experts, however, consistently fall in the pro-private camp.
Let’s dig into why, keeping in mind that behind every data breach there’s someone saying “I thought we were secure.”
First, some definitions:
A public cloud is one that’s available to the public, typically in a free or pay-per-use capacity, and accessible via the web. Examples are Gmail, Office 365, Dropbox, Facebook and Uber.
A private cloud is the same kind of service, but sits behind your firewall and is limited to your internal customers or departments in your organization. You either own it or it runs in your data center.
In a piece for Wired magazine, IBM’s Jeff Borek explained their respective strengths like this:
“The pro-public crowd has long argued that the ability to consume IT and related services on a pay-per-use model, the speed of access to resources, and the flexibility to add and drop capacity make their approach the only way to go.
The pro-private camp is quick to remind clients that enabling private cloud capabilities—either on-site or in a private hosted environment—provides the highest levels of management visibility, control, security, privacy, and physical data proximity. The peace of mind of knowing exactly where your key business and client data resides at all times.”
Next, let’s recap what’s at stake and what you’re up against:
You already know this, but it bears repeating because common knowledge isn’t common practice:
Cyberattacks are on the rise, up 45% in the public cloud last year, writes Sophos. And that’s not even counting flubs from your own employees (whether intentional or accidental), opening doors to threats.
A single data breach—whether that data is stolen, leaked or corrupted—can result in irreversible damage for an organization, including a damaged reputation, loss of business, costly corrective action and sky-high fines from regulatory bodies. Definitely not something you ever want to deal with.
Earlier this year, the Cloud Security Alliance listed the “Treacherous 12” of top cloud threats organizations face in 2016, as reported by Infoworld:
- Data breaches
- Compromised credentials and broken authentication
- Hacked interaces and APIs
- Exploited system vulnerabilities
- Account hijacking
- Malicious insiders
- The APT parasite
- Permanent data loss
- Inadequate diligence
- Cloud service abuses
- DoS attacks
- Shared technology, shared dangers
(You can read explanations for each of those items here.)
Those are serious issues well worth your time and investment in adequate data security.
Comparing public/private cloud features:
In a piece comparing and contrasting private vs public clouds, ZDNet published a long list of pros and cons.
We’ve organized them in a handy table below:
|Public Cloud||Private Cloud|
|Pros||Your data lives behind an enterprise-class firewall.||You control the physical servers and access to the servers.|
|Your data lives in a secure facility, often with multiple degrees of physical security.||Your information lives behind your firewall (you can also add firewall protection when co-locating servers somewhere else).|
|Thieves intent on stealing your data may not know where it lives.||You don’t have to enable Internet access to your data and can isolate your data infrastructure.|
|Your gear is not at risk from disgruntled employees.||You design the architecture to your needs and preferences.|
|You are not alone when defending against attacks.||You know who is granted access.|
|You are protected from hardware failures.||Clarity of ownership.|
|You are protected from sudden surges in demand.||No risk if cloud provider shuts down.|
|Cons||Access can be granted from anywhere.||Your employees have physical access.|
|Your data must travel “in the wild” over the open Internet to your cloud provider.||You may be subject to the whims of nature, your ISP or local power grid.|
|Your vendor might grant physical site access to other tenants.||Your security is your responsibility.|
|You may be subject to jurisdictional issues, especially when dealing with international issues.|
|You’re dependent on the responsiveness, whims or quality of the vendor.|
|Little established case law.|
A third option that may be ideal for many organizations is a hybrid cloud approach, mixing and matching the best elements of private and public clouds.
Choosing your ideal cloud solution
Sophos advises you start by understanding your data, and whether it’s appropriate for the public cloud.
“Intellectual property, personally identifiable information (PII), credit card info, banking info, or medical records are all examples of data that need high-level security to meet compliance standards,” they caution.
Once you understand your data and examine its compliance requirements, you’ll be better equipped to discern how to safeguard it. (Don’t forget to align internal policies with how you want it handled and accessed, by the way.)
ZDNet also advises you investigate how secure your vendor is:
“Is this a new, venture-funded startup that’s one bad quarter away from closing doors? Or is this a company with deep resources that will clearly be around for the long haul? Does the company store your data across multiple datacenters, in multiple locations, and what sort of backup and recovery strategy do they offer?”
Taking the time to weigh your options and seek guidance from reputable providers can very well prevent your organization from hitting the headlines as the next data breach target. Don’t let that happen under your watch.