“Hey! You! Get off of my cloud!” How secure is the cloud?

Mick Jagger was not the father of cloud security. However, the title of his song does neatly summarize the mission of every Data Protection Officer who watches over IT systems running on cloud platforms such as Amazon Web Services.

Cloud usage grows with the pandemic

Since the start of the global pandemic, the use of cloud systems in the business world has expanded at a phenomenal rate. In a recent article released by the security firm McAfee, they reported that cloud services had grown by 77%. McAfee themselves aggregated cloud usage data from more than 30 million users in the first quarter of 2020.

They go on to say that the enterprise use of cloud had increased by 50%, with the largest gains being in manufacturing and financial services.

The increase in usage of cloud-based collaboration services was little short of explosive, with WebEx usage increasing by 600%, Zoom by 350%, Microsoft teams by 300% and Slack by 200%.

Benefits of the cloud

The reasons why cloud computing has proved so popular are well known.

It is just as easy for employees to connect from home as from the office.

Maintenance of a suite of applications is easier since all applications are centralized in the cloud itself.

Cloud applications can be configured to expand and contract with changes in demand so making savings on the rigid cost structure imposed by on premises solutions.

Cloud native development of new functionality can be achieved much faster using microservices architecture running in containers and orchestrated by serverless solutions such as Amazon Web Services Step Functions.

Cloud also allows smaller and medium size businesses to gain access to enterprise computing power through Software as a Service (SaaS) applications. A small to medium sized company might use a business intelligence tool as a service to conduct heavy duty data processing for only the cost of the number of seconds that they were running the system. The cost of doing this on premises, including buying and operating hardware in a data centre and the employment of additional expensive IT staff, would prove prohibitive for the company.

On premises – the case for staying

There are, however, many institutions, especially in the banking sector worldwide, so still refuse to move their IT systems over to the cloud.

Data localization laws inhibit the growth of international cloud solutions, since such laws prohibit or at least restrict the export of data out of the country or region’s jurisdiction.

The most well-known of these restrictions are the General Data Protection Regulations (GDPR) which only allows an organization to move personally identifying information outside the European Union if the hosts fulfil strict conditions.

In addition, many organizations find their drive to adopt cloud is blocked by their own industry compliance regulations. In Poland, for example, the banking sector has not adopted cloud computing at all because the Polish banking regulations effectively forbid it.

These restrictions are usually related to fears about security. Many businesses are not comfortable with the idea that their customers’ data, which they are legally responsible for, is being stored on a platform like Amazon Web Services at a location which does not belong to them and is outside their direct control.

Cloud security – who’s responsible for what

The distribution of responsibility for information security between the user and the cloud provider depends on the relationship between the two parties.

If we take Infrastructure as a Service (IaaS), the cloud provider is only responsible for the physical hardware, the infrastructure that connects it to the outside world and the hypervisors that run the virtual machines the systems run on.

The user organization is responsible for everything else, including user access, data, applications, the operating system and network traffic.

At the other end of the spectrum is Software as a Service (SaaS). Cloud communication solutions WebEx and Zoom are examples of this. The cloud provider takes responsibility for the physical servers, the infrastructure and hypervisors that support them, the network traffic, the applications themselves and the operating system they run on. The user organization will only take responsibility for user access and the data itself.

What makes the cloud a secure place to be?

Technology: The size of the cloud means that user companies will gain the benefit of enterprise scale security technology, even if they are not enterprise scale organizations themselves. This technology includes the following:

Encryption: Cloud data can be encrypted both at rest (in storage) or in transit (coming into and out of the cloud from a user’s device, or moving between clouds.) For cloud to user and vice versa transits, this is normally achieved using SSL/TLS encryption.

Identity and access management (IAM): This is the technology that tracks who is logging into and out of the system and what they are doing when they are logged in.

This is extremely important for cloud computing, since the identity and access privileges of a user determine what data he can access. IAM may provide:

• Systems to authentical user identify using multi-factor authentication
• Single Sign On to allow the right user to access all the designated applications with one log in.

Firewalls: These work in the same way as they do on premises, except that they protect the whole cloud from malicious web traffic.

This technology is used by cloud providers to protect their own assets and their customers’ data and applications. Small and medium sized businesses can benefit from the fact that cloud providers have enterprise scale IT security budgets. Amazon Web Services state that they are the only commercial cloud provider that has been vetted and accepted as secure enough for “Top Secret” workloads by the US Government.

Beyond Technology

As well as the enterprise level technology, cloud providers also offer the following:

Expert staff: Cloud providers have the budget to pay for the most highly trained and highly qualified staff to work in their data security teams.

International standards: Cloud providers have the budget to ensure that they are compliant with all the major security standards including GDPR, PCI-DSS and HIPPA-HITECH.

Strategic approach: The scale of the cloud allows their IT staff to take a more strategic approach to security including:

Prevention: The cloud provider can work with their organizational users to define and authenticate individual users according to their roles, access rights and identification details.

Detect: The cloud provider uses monitoring and logging processes to track user activities and with automatically block users where necessary or raise a near real time alarm.

Respond: The larger cloud providers can use AI to automate responses to and recovery from incidents.

Remediate: These automated responses can be configured to work automatically based on specific events securing the environment in near real time.

Liability: There is one further protection which is not always mentioned in the technical literature. A data breach in the European Union in an on-premises installation could result in a fine equivalent to 4% of the company’s total revenues. This liability will fall on the company which owns the network and will be irrecoverable.

An organization using a cloud-based technology platform would make some of the responsibility for the data breach fall on the cloud provider. The organization may be able to take legal action against the cloud provider and recover some of the fine in the form of legal compensation.

Summary and conclusion

Organizations on the cloud benefit from enterprise scale technology while only paying for the time that they use. This is a lot less than the total cost of ownership incurred by organizations who prefer an on-premises solution.

Similar benefits accrue for cloud security, where users gain the benefit of enterprise level technology and expertise, while avoiding the total cost of ownership and also being able to outsource some of the risks along with the responsibilities for data security.