When visiting my parents this past weekend, the topic of data security came up. Out of curiosity, I asked them what their principal security concerns were when we got our first computer in 1987. Their answer – fear of loss (via theft, corruption, deletion, nuisance/waste of time, etc.) – reminded me that our concerns about ‘data security’ haven’t changed at all. They still center on confidentiality, integrity, and availability (the CIA triad of information security). The focus is what has shifted, from security of data on devices we can hold and touch to security of information housed ‘in the cloud.’
To confirm this, I went to NIST (the National Institute of Standards and Technology, a branch of the US Department of Commerce) to find out what the principal security concerns of 1995 were:
- Access
- Control
- Reliability/Assurance/Accuracy
- Usage (including misuse)
- Threats (e.g. E&O, fraud, sabotage, data loss/corruption, hackers, privacy issues)
Keep in mind that this was before businesses and consumers realized the full potential of the internet. With the World Wide Web came the set of technologies and practices we now know as the ‘cloud.’
For purposes of this article, I will define ‘the cloud’ as a computing environment which:
- Eliminates the need for up-front capital costs,
- Largely eliminates operational IT responsibilities (e.g. backup, device maintenance, upgrades),
- Removes barriers to where work is done,
- Offers substantial scalability and elasticity, &
- Delivers tremendous economies of scale.
Organizations have expressed great enthusiasm for the many advantages unlocked by the cloud. After all, it promises to make them more efficient and competitive, to provide them with real-time insight and exceptional agility. Who would say no to that?
Nonetheless, adoption rates have so far disappointed predictions. Businesses have moved toward the cloud, but they have done so more slowly and with greater caution than analysts expected.
Why is that?
Despite advantages, the primary impediments to cloud adoption remain misconceptions about the reliability, availability, and security of the cloud. Many people fear losing direct control over data they are accountable for.
Security carries enormous weight in today’s world. In a recent Inc. survey, 45 percent of respondents believed cloud computing presented a “slightly higher” risk than a traditional network in terms of its ability to protect sensitive information, while 22 percent believed the cloud’s risk was “much higher.” CIO Magazine’s Mark Wilczek says of another recent poll that “Of the 400 executives polled, 39 percent cite security issues as a main barrier to providing the right infrastructure for digital transformation. Moreover, most CEOs (64 percent) refer to security when asked which characteristics they would rate as ‘very important’ in ‘helping their organizations to achieve its digital transformation objective.’”
I won’t pretend that none of these concerns are legitimate. In all likelihood, anybody who tries to downplay the importance of data security has never been responsible for anybody else’s data.
The Cloud Security Alliance has identified the top threats to cloud computing in their 2016 report, Treacherous 12:
- Data breaches
- Insufficient identity management
- Insecure interfaces
- System vulnerabilities
- Account hijacking
- Malicious insiders
- Advanced persistent threats
- Data loss
- Insufficient due diligence
- Denial of service
- Abuse and nefarious use of cloud services
- Shared technology vulnerabilities
What I find interesting about the above list is the fact that, with the possible exception of the final two, every item poses a threat to all platforms, whether on-premises, hybrid cloud, hosted private cloud, or public cloud architectures. The issue isn’t data security in the cloud—it’s data security, period. It’s also important to note that the type of cloud you select has a significant impact on your proximity to any of these attack vectors.
Alert Logic’s 2017 Cloud Security Report discovered that hybrid cloud draws more confirmed security incidents than any other platform, followed by hosted cloud, on-premises, and finally public cloud. In fact, public cloud has the lowest threat vector, with 34% fewer incidents than on-premises, 41% fewer incidents than hosted private cloud, and 59% fewer incidents than hybrid cloud.
“We are now confident in concluding that public cloud environments have lower observed incident rates than on-premises data centers,” declare the report’s authors. “However, any enterprise that treats public clouds’ lower incident rate as an invitation to be less diligent about security is seriously asking for trouble. It makes no sense to move to a safer neighborhood and then proceed to leave the doors of your house wide open!”
In reality, there is no one-size- fits-all model for security on any platform. Cloud computing is available in different tiers, each of which presents a different level of responsibility for security management.
Cloud security is no different from regular data and infrastructure security. Applications still interface with users in some way. Today, that interface often happens via the web, whether through cloud applications, portals, remote access devices or virtual machines. All normal OWASP security vulnerabilities (SQL injection, session management or authentication failure, sensitive data exposure, broken access control, cross site scripting and forgeries, insufficient monitoring, etc.) pose as much danger to applications running on Internet-connected servers in your office or a local data center as they do to applications running in a true cloud architecture.
When it comes to physical security, a data center full of cloud application or database servers is indistinguishable from a data center filled with non-cloud servers. Unauthorized access and natural disaster pose a threat in either case. Cloud computing does not introduce new requirements for the physical security of devices.
Because cloud computing can help financially strapped organizations survive and financially stable organizations thrive, those who want to retain a competitive advantage no longer have the option to sit and wait. But that doesn’t mean you have to relinquish control or ignore the data security elephant in the room. Judging by the data, organizations that partner with the right vendor can reap all benefits of the public cloud without undermining security. If anything, the public cloud often enhances the security of organizations’ data.
The vendor you choose is incredibly important, however. I cannot stress this point enough. In order to reduce their liability, some vendors will try to take formal ownership of your organization’s data. Some will bring in third-party companies to host your data.
I believe that Xledger provides an example of what you should look for. Xledger gives you access to the most automated business management system on today’s market. We guard your data as our own with enterprise class security controls. Yet even as the system streamlines your processes and supplies you with unparalleled business insight, Xledger keeps the power in your hands. While we might assume direct custody of your data, you own it. You control it. And you always will.