By Richard Ray, Information Technology Advisory Services Consulting Executive
The number one source of security data breaches are cyber-attacks on web applications in the “cloud,” and in the past three years those attacks have increased over 300%. Cloud applications are the highest source of security failures, and Gartner Group states that cloud computing systems will grow 36.8% in 2017.
Just as a project can experience “Scope Creep” where requirements increase without formal procedures to capture the costs, work effort, or risks associated with those new requirements, so also the addition of new cloud services without proper due diligence and oversight becomes “Cloud Creep,” increasingly exposing organizations to potentially costly data breaches. Cloud usage without proper vetting and due diligence, monitoring and controls, can expose an organization to many risks.
In this part one of a two-part series, we will address a dozen risks to consider before moving to cloud computing. In part two we will take a deeper look at how to address these risks and threats.
12 Risks to Consider Before Moving to Cloud Computing
- Beware of Shadow IT in the cloud
Many companies are discovering that internal departments are going to the cloud without appropriate review or approval. A simple purchase card transaction will contractually bind the organization to an external cloud provider and all its associated risks. This shadow IT, or “cloud creep”, can happen so fast that it can become an out-of-control problem.
- Loss of control
Have you ever hydroplaned on a wet road? That’s how it feels when you experience public cloud deployments where you are giving up much of your control over security defenses. Distributed computing into the cloud requires an active approach to managing security in the cloud. Cloud service providers can modify the application, systems environment, location of backups, and even security controls, and then like a car spinning off a wet road, the consequences to the organization can become out of control.
- Unauthorized access of data
Many cloud software providers have unique login requirements, password rules, password reset rules, and user id requirements. Some are robust and effective, while others may have weak login requirements that can easily open the door to hackers who will pilfer your data and money.
- Sharing isn’t always good
When it comes to “public cloud computing,” everyone is on the same ship, and if the ship sinks, everyone on board is affected. If the server fails, all the users lose access. If one of your cloud neighbors is hacked, it could open access to other resources on the server, including your data.
- Invalidating your Certifications
Confidential customer data residing on a cloud platform’s storage requires special handling. For example, if an organization is PCI compliant but the cloud provider is not the organization’s certifications could be made invalid.
- Vulnerable Data and Weak Application Security
The cloud provider’s proprietary applications are a black box; there is little or no information on how secure they really are. Loss of data or the exposure of sensitive data to unauthorized parties is always of major concern, but in the cloud it is often overlooked and can become a major risk.
- Browser vulnerabilities
Web browsers are a common target for malware attacks, and using a cloud provider’s application with an infected browser can compromise data in many ways.
- Cloud provider’s Exit Doors Chained Closed
If you want to leave a cloud vendor, you may discover it’s like an exit door in a building that is closed but has a chain and lock wrapped around the handles, and in case of fire you are in trouble. If at some point you need to move to another cloud provider, can you leave with your data and how much will it cost you? What are the risks? How fast can you leave?
- Silent Security Breaches
Security breaches should require reporting by the cloud provider, but do you know if they are, in fact, communicating security threats or breaches? For example, if you deal with confidential and sensitive customer information and there is a breach by your cloud provider, the notifications rules may be clear, but will your cloud provider follow those rules? Your organization is responsible for the notification, it’s your data, and it’s your customers who need to be notified.
- Cloud Service Failures
Cloud services fail from time to time, whether it’s a hardware or network failure, application crash, or denial-of-service virus attack – you would be out of service for that application. Service Level Agreements for performance and availability with Cloud providers are not common with standard off-the-shelf terms and conditions.
- Bankruptcies and buy-outs
Cloud providers can go bankrupt and fail, and they often sell off their businesses. When those things happen it can affect quality of support levels, frequency of security fixes, or potentially shut down the cloud services. What happens to your data then? Can you retrieve it in the event of a total failure and shutdown?
- Malicious Employees
Fraudulent behavior in America has increased dramatically, and it is estimated that 70-80% of business theft is from employees. The cloud opens more avenues and complexities in securing sensitive data and systems. Malicious behavior by an employee with inappropriate security access to a cloud system can present the largest risk on this list to an organization.
In Part Two of this article we will address some specific steps you can follow to evaluate, manage, and mitigate these cloud security risks.