The cloud is not some magical place apart, it is simply another piece of the information infrastructure, and as such has both opportunities and challenges for users and security professionals alike. The cloud offers seductive benefits of speed to provision, reliability, elasticity, lower price, mobile access and more. A new study by Dell finds that companies that have invested in cloud, big data, mobility and security are seeing about 50% faster revenue growth than those that did not. But these benefits come at the price of some loss of control over data and security. Additionally cloud opens some new vulnerabilities, for example attacks against the “hypervisors” that manage the virtual machines.
For IT departments, the cloud has turned the old security paradigm on it’s head. Used to be that security specialists could draw a clean boundary between “our network” and “out there”, and try to keep bad things from crossing the boundary.
With the cloud, and the rise of mobile devices, the boundary is no longer relevant in many cases. In theory, anybody can access Corporate data in the cloud from anywhere, and with the use of BYOD devices, the boundary is often inside the devices themselves…one reason device security and access control is becoming more prevalent. Current thinking is moving towards “hybrid cloud” implementations, with an attempt to keep more valuable data closer to home and thus re-establishing at least some semblance of a virtual boundary.
But, users are not to be deterred. Security vendor CipherCloud analyzed a year’s worth of cloud usage data from its enterprise customers and discovered that on average, North American companies used about 1,245 cloud applications. Of that number, an astounding 86 percent were unsanctioned applications that IT groups had little idea were being accessed from inside the enterprise network. The CipherCloud article cites “John Pescatore, director of emerging security threats at the SANS Institute, [as saying] much of the risk can be mitigated if IT is responsive to business needs. Employees and business groups often sign up for cloud services they need on their own because it is faster than waiting for IT to provision it for them, he says.”
Still, the cloud can be safe with appropriate controls. One of the biggest cause of data loss in the cloud, for example, is the loss or theft of devices (one-quarter) or other types of employee negligence (one-third). These numbers indicate that simple education and loss remediation (device wiping for example) can substantially reduce the risk.
So here is the bottom line. Like many issues in cyber security these days, it is all about risk management. If you are a Governmental Agency and have high value personal data, or a defense contractor with classified information, or a critical infrastructure component with sensitive operational data, then your tolerance for any data loss is very low. In these cases you need strong security controls no matter where your data lives. If you are a small business, the big cloud providers are likely to be able to provide much better protection for your data than you can provide, at lower cost and better reliability, and can deliver surge or rapid growth capacity that you cannot match.
For individuals, the best advice is to know where your data lives and how to control that. Much of the data, photographs for example, on our mobile devices are duplicated to the cloud by default (hopefully the proprietary cloud of the provider), but you can generally choose to disable this function. Many apps split data storage between your local machine and the cloud, running some bits locally and some remotely. Some apps are more greedy and “verbose” than others, scooping up any data they can access on your device and sending it elsewhere; there is a growing body of literature on these app characteristics, and you can choose not to use the worst offenders.
One last thought for individual users is the cost associated to cloud storage. For businesses the cost benefits are generally clear, but for consumers cloud is generally much more expensive. Commodity portable disk drives storing a terabyte of data are now barely $100 at the big box stores.
If you buy one, put your data on it and plug it in when you need access, it can cover your data needs for a very long time (ok, buy two for reliability or even a third one to stick in your safety deposit box for offline storage). Compare that to the cost of a data plan that would allow you to access that same data. Verizon is quoting $100 per month for 18 GB of data access, about 50X more expensive, not counting the cost of the storage itself. Not quite apples to apples, but certainly consumers need to consider the true cost of their cloud storage and access.