You hear the term “cloud” everywhere. Everyone has a cloud or uses a cloud or uploads to the cloud. What is cloud computing and can your cloud be hacked?
The National Institute of Standards and Technology (NIST) defines cloud computing:
“Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” (NIST).
The benefits here may be evident to a small-to-medium-sized business with a small IT team or none. A cloud can potentially save you money, time, and maintenance by reducing the cost of running applications and computing services locally, i.e., on your organization’s computers.
For instance, cloud apps can be delivered by subscription over the internet (itself sometimes called “the cloud”). This subscription model is called software-as-a-service (SaaS).
Microsoft 365 is a cloud-based subscription service that serves the applications formerly named Microsoft Office and their associated services.
Microsoft Azure is a collection of cloud services for access, management, analytics, virtual computing, storage, networking, and software development.
With these services, your organization can access collaboration software and workflows, business and personal applications, servers, IT management devices, software development, and data over the internet.
Updates to your services and apps are seamless, and your cloud provider worries about security.
Well, some of it.
What Are The Types Of Cloud Services?
Before I discuss cloud security, I must first explain the different types of cloud computing. The following are the most common types of cloud services:
Public cloud
When used in daily conversation, cloud generally refers to services provided remotely over the internet.
Private cloud
Services created and maintained on a private, in-house network. The most secure model, this is also more expensive because of hardware, energy, and maintenance costs.
Hybrid cloud
A combination of public and private clouds, with some in-house services and some outsourced.
Community cloud
Only open to organizations with common concerns, a community cloud can include organizations regulated by the same regulations, such as HIPAA.
And for comprehensiveness (but not discussed here), cloud storage provides remote file storage, and webmail, such as Gmail, provides email in the cloud (Cengage).
What are a cloud’s benefits?
Moving the hosting for your applications, services, and data to a cloud is a significant technological and administrative step. It’s also a potentially-more-expensive one–but the possible benefits are myriad:
1. Your services and apps are flexible and scalable, delivering from anywhere, from any device.
Flexible means you pay for only the hosted services you need, which can be scaled up or down depending on what you and your users use. The addition can be effortless and rapid, and you have fewer IT and administrative worries. You never fear adding users (employees) or new applications when you have flexible services.
2. The performance and availability of your apps and services are improved.
The computing power necessary for running your apps and services is outsourced to the (public or hybrid cloud) provider. There are fewer worries and delays with slow or unavailable apps and services.
3. Sharing files in your office through a cloud service makes your workflows smoother.
Teams can alter and share files, and data is less likely to be destroyed or lost. Backups can be automatic or run as needed.
4. Your cost and maintenance for hardware and software are removed.
Cloud services can cut administrative and energy costs through decreased infrastructure.
5. Your business continuity is enabled in the event of a disaster or breach.
The backup and restoration of affected computer systems after a cyberattack or disaster are efficient. Public cloud hosting that is independent of what happens on your organization’s premises preserves your services.
6. Your organization can benefit from the cloud provider’s compliance protocols.
Suppose your cloud is a community cloud shared with other organizations regulated by the same standards. In that case, you can benefit from shared compliance protocols (for instance, two healthcare organizations can benefit from the same cloud service using HIPAA compliance standards).
7. Techie Stuff: Your organization’s application development in the cloud provides a competitive advantage.
A cloud can enable your software development teams to use quick deployment. As noted, Microsoft Azure has tools used for software development.
Did I forget, 8. Your organization is more secure?
Well, yes and no.
What Are The Security Benefits Of Cloud Services?
1. Data security is outsourced to the provider.
One benefit of cloud services is that while data stored on a home computer connected to the internet is less secure, your files in the cloud can be encrypted.
2. Physical security is a perennial benefit in IT.
Cloud servers in secure warehouses, co-location facilities, or locked server closets benefit all areas of computing. Most workers and the public will not have physical access to cloud servers.
3. Specific cloud services provide additional security benefits.
– Identity as a service (IDaaS)
One example of a cloud-based service is IDaaS, which can give you security in the form of authentication (you are who you say you are) and authorization (you are approved to access certain services).
IDaaS handles your identity life-cycle management, including processes to create, provision, and manage identities for systems and services. IDaaS can also monitor and manage your privileged accounts.
IDaaS provides a more secure, more easily-managed service with automated monitoring and reporting that can identify security issues faster (Sybex).
– Federated Identities (Single Sign-on)
Your user identities can also be “federated,” or linked (with their related attributes) between multiple cloud-based identity management services. Signing into one service allows authentication sharing between its partners’ websites and services. Microsoft Azure supplies single sign-on.
Two strengths you get from such a service are only having to remember one password and user name for one site and its third-party partner sites and having centralized control over authentication (Sybex).
– Distributed Denial Of Service (DDoS) Mitigation
Another cloud-based service that can benefit your security is a DDoS mitigation service. DDoS is a cyber attack that involves flooding an internet-connected computer service with many requests for its services so that the service crashes (freezes and can no longer respond to requests).
A DDoS mitigation service stands between your protected systems and the public internet and allows the analysis of your internet traffic.
The system gathers data to provide a view of the traffic to your network or service and then, based on signatures or behavior analysis, redirects or drops bad traffic, effectively stopping the attack (Sybex).
– Cloud Access Security Broker (CASB)
A CASB is a set of tools and services that can exist between your organization’s on-premises infrastructure and the outsourced cloud provider’s infrastructure. A CASB ensures that your organization’s security policies extend to the data hosted in the cloud you pay for.
For example, data loss prevention (DLP) software can ensure the cloud provider applies the same file encryption and protections your in-house networks do (Cengage).
What Are The Potential Security Weaknesses Of Cloud Services?
Your cloud hosting services have potential attack vectors (approaches used or vulnerabilities exploited in a cyber attack). Despite its possible high confidentiality, integrity, and availability (CIA) of data, the cloud is not vulnerability-free.
Some of the security weaknesses of cloud-based services include the following:
1. A user-provisioned cloud management interface can expose your cloud service to a cyber attack or user error.
While providing benefits like an easy-to-use interface, a management system your cloud provider gives you can also be a weakness because of the centralized control and power available to a potentially malicious user or employee error.
2. Deliberate attacks or human error can cause cloud outages.
Data loss, leaks, or malware due to attackers or insiders can take your cloud services offline.
3. Previously-unknown attacks against cloud infrastructure have the potential to give attackers root (complete system control) access.
“Zero-day exploits” are types of attack that are unknown until they take place and can potentially bring down your systems, no matter how protected.
4. Somebody may attack your internet connection despite your strong cloud security.
Attackers can still attack your internet communication through (for example) DDoS or “man-in-the-middle” attacks.
5. Hackers can access your cloud data and login credentials left in memory.
Savvy hackers can access the data and successful authentication of another user of your cloud-based service.
6. Malicious or insider users can break encryption.
Computing power is increasing, and malicious users, your employees, or cloud provider employees can crack encryption and access your data.
7. Shared credentials in single sign-on can be a weakness if not properly secured.
One weakness of single sign-on is the possible compromise of that one username and password, giving access to all associated systems.
8. User error is always a vulnerability.
Users having poor training can cause breaches of intellectual property and PII, and organizational compliance. Privacy and legal violations by your users can result in fines and loss of reputation for your organization.
Social engineering can result in cloud compromise, despite having strong security.
Some security problems can be self-inflicted:
9. Misconfiguration of your services, such as authentication, can create vulnerabilities.
10. Risks of bring-your-own-device (BYOD/user-supplied) or choose-your-own-device (CYOD/provisioned) devices can complicate your cloud setup.
Why Is Cloud Security Important?
Cloud backup has gone mainstream, and most cloud backup is easy to use. Apple is one of the companies adding end-to-end encryption to its user backups (iCloud).
As mentioned, the benefits of that type of service are access from anywhere, with any device, and secure storage. Those are two of the same benefits that your cloud services would have.
Cloud apps are becoming more seamless. Cloud-based federated services centrally authenticate users. With the move to remote work during the global pandemic, the need for privacy and security is now at the top of the agenda at for-profit and not-for-profit organizations.
Who is Responsible for Cloud Security at Your Business?
While cloud services used by your organization may have technical support, you should also have an administrative contact who communicates regularly with the cloud provider.
You should appoint an educated in-house IT technician or cybersecurity analyst, or your provider may supply one. Either of these individuals will provide security training to your organization’s users.
What Should You Consider When Purchasing Cloud Computing Services?
If you wish to purchase cloud services, you should first ask:
1. What are the security practices and policies of the cloud provider and federated, third-party providers?
2. What kind of encryption and method of connection to your cloud provider will be provided?
3. Will you centralize your user authentication and authorization cloud services over a public cloud, an in-house private cloud, or a hybrid cloud?
4. What level of user validation and privacy does a federated cloud service require and provide to relevant, relying third parties?
5. Will the services provided include significant CIA protections of user data and other services?
6. Will your user data be stored locally, in the cloud, or a combination of the two?
7. What kind of information will the provider and federated, third-party parties provide in the case of a security incident?
These service considerations can affect the security of your cloud.
Conclusion: You Need Cloud Hosting That Fits Your Organization’s Needs And Is Secure
Protecting digitized intellectual property, data, apps, services, and infrastructure only works if you have correctly-implemented practices, procedures, and guidelines (Wikipedia), including user education.
When choosing an expert service provider, you should consider how well their services achieve the goals of cloud security:
1. Only authorized users should be given access to resources.
2. Establishing and maintaining the CIA of data is a primary goal of cloud security. Data in use, at rest, and in transit must be protected.
3. Cloud subscribers (organizations and users) should have their services and data isolated from other subscribers using the same services.
(Cengage)
Clouds can be powerful, flexible, and secure services if you perform installation and maintenance with the proper precautions. Organizational requirements, risk management, and cost figure into your security (Cengage).
You need an expert service provider who can advise and guide you to a secure and successful cloud configuration.
***
Tech Kahunas is a San Diego Managed IT Services provider which provides IT support and services like 24/7 monitoring, data backup and restore, and malware protection.
Tech Kahunas will help you Defend Your Island. Set up a free 30-minute Strategy Session with us now.