Best practices being used across enterprises and within industries will help lawmakers improve cloud security by holding everyone accountable
The adoption of cloud computing has been on the up since as far back as 2008, when a survey conducted by the Pew Research Institute found that cloud services were used by nearly 69% of Americans. Since then, the industry has experienced hyper-growth and exceeded the already vast predictions of how big it would become.IDC predicts that the cloud computing market in 2017 will be worth $107 billion and, according to Gartner, by 2020 a corporate ‘no-cloud’ policy will be as unusual as a ‘no-internet’ policy would be today. Indeed, it would be difficult to imagine an organisation in 2017 that did not use webmail, file sharing and storage, and data backup.As the use of cloud computing spreads so does awareness of the associated risks. At the time of writing, there have been 456 data breaches worldwide this year according to the Identity Theft Resource Center (ITRC). The ITRC also noted a 40% increase in data breaches in 2016 compared to the previous year. Yet, despite the well-documented cases of data breaches, organisations continue to invest in and adopt cloud computing services because the benefits usually outweigh the risks.To understand why the growth of cloud computing has continued in the face of high-profile data breaches, look first to what it can offer an organisation.
Cheaper, bigger, betterCloud computing is a virtual environment that can adapt to meet user needs. It is not constrained by physical limits, and is easily scalable – making it an obvious choice for start-ups. Cloud computing makes state-of-the-art capability available to anyone with an internet connection and a browser, reducing hardware and IT personnel costs.Cloud services and software applications are managed and upgraded off-site by the provider, meaning organisations can access technology they would not have been able to afford to install and manage on their own. The popularity of the cloud essentially comes down to its provision of advanced, next-generation IT resources in an environment that is cheaper and more scalable than local networks.The risks involved with cloud computing are mostly security-based. Clouds are often made up of multiple entities, which means that no configuration can be more secure than its weakest link. The link between separate entities means that attacks to multiple sites can occur simultaneously. When cloud providers do not employ adequate cyber security measures, those clouds become a target for cybercriminals.Yet, it’s not all bad news. A user survey conducted by one cloud service provider found that concerns about security fell to 25% compared to 29% last year. And as more becomes known about security risks so too does our knowledge around what organisations can do to protect themselves.Threats and solutions in the cloudThe Cloud Security Alliance (CSA) released its ‘Treacherous Twelve’ in March 2016 detailing the top 12 threats to cloud security based on responses from their members. At the top of this list was data breaches.Any leak or exposure of sensitive information – such as usernames, passwords, credit card numbers, social security and health records – constitutes a data breach. The organisation, and not the cloud service provider, is ultimately accountable for keeping their data secure.When a data breach does occur, a company could be fined or face criminal changes, regardless of whether it was intentional or not. Even though cloud service providers will deploy a high level of security measures, the CSA advises organisations to implement a multifactor authentication and encryption system on the user end to protect against data breaches. This could involve single-use passwords, smartcards, or phone-based authentication.These multifactor authentication processes can also work to prevent the occurrence of compromised credentials, which can expose an organisation to a data breach. Commonly, data breaches and cyber security attacks rely on lax security systems like predictable passwords and poor certificate management.Allocating permissions within an organisation is another area where credentials could be compromised if they are misallocated or not removed when a user leaves or changes roles. As well as multifactor authentication, companies should prohibit the sharing of account credentials and ensure permissions are allocated or removed as soon as is necessary.Organisations can also increase their chances of avoiding a data breach by implementing proper training. Innocent mistakes can often look like deliberately harmful insider activity. Would your data administrators ever unintentionally copy sensitive customer information over to a publicly accessible server? The only way to be truly confident in a workforce and prevent mistakes happening in the cloud is to implement correct training and management.While the cloud may differ to local networks in many ways, its data centres remain just as susceptible to damage or destruction by natural disasters. To avoid losing data to fires and floods, distribute data and applications across more than one zone. Implement appropriate data backup procedures, and adopt best practices in business continuity and disaster recovery.Consider using off-site storage for data that, if lost, would result in its own kind of disaster. As the General Data Protection Regulation (GDPR) start date approaches, protecting your data is more important than ever. GDPR sees both data destruction and corruptions as serious breaches.
Looking ahead – the future of the cloudIt would be unwise – and certainly a bad business decision – for an organisation to not take advantage of the technological advances made by the cloud. More than that, however, cloud computing services and applications also support growth in a way that traditional IT hardware cannot. Whether it is a start-up with a handful of staff, or a multinational corporation with a headcount of thousands, the cloud continues to be the way of the future.Over the next years and decades, the regulations and laws around data in the cloud will come into maturity. Like many times in the past, governments are moving slower than the technology when it comes to implementing policies and law. Decisions made in the courts will instead set the precedent of who is ultimately responsible for the security of information stored within the cloud. In the meantime, organisations around the world can focus on self-regulation as they tackle cyber security in the cloud.