Public cloud computing risks have quietly slipped into the enterprise and we are only just learning of the magnitude of the vulnerabilities. There are of course many known public cloud services and some organizations block the ones they are aware might compromise their systems and data. However, employees are likely using many services that organizations do not know about and there are frequent launches of new services—many of which can become a data leak.
The cloud stack consists of infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). The vulnerabilities increase with each layer that is managed by others. With IaaS, networking, storage, servers, and virtualization are managed by the servicer. However, everything is managed by the provider with SaaS, making it the most vulnerable.
Public cloud services that may extend your organization’s risk if not managed correctly include:
- Login with Facebook
The trouble with letting others manage your data
When others manage layers of a service your organization uses, business operations rely on that management being secure and highly reliable. Yet, who knows how well they protect your data and back it up. Questions to ask may include:
- What virtualization software do they run and is it on the most current version?
- Have you seen the patch list from that software vendor in order to note what risks organizations have been exposed to in the past?
- If data encryption is used, are the private keys shared among tenants?
- Do you know who has access to your data and how many privileged accounts there are?
We like to think that these cloud services have rock-solid data security and backup protection. Still there are reported cases of data loss through equipment and backup failures or simple accidental deletion. Since the servers are shared systems, ransomware may get in and hold data hostage or a software failure might expose the data to other tenants on the service.
Data stored or processed in the cloud service could also be seen or stolen by malevolent actors. Cyber-crime can easily be facilitated by cracks in cloud security. Authentication and authorization may not be as robust as it should be at some providers and poor password practices among employees are a particularly significant vulnerability. Even if the security keeps hackers out, employees of the provider might have malicious intent and gain access to your data from within.
They own the data too, if you can get to it
Another consideration is that many providers have clauses in their agreements that say they are owners of the data. They do this primarily to gain some legal protection. Even so, there are stories that some providers have mined or sold their customer’s data.
Availability is another concern with off-site systems and services in the cloud. Even the largest providers like Amazon experience outages from equipment or software failures or they may suffer denial of service (DoS) attacks. Some of these disruptions in service have continued for not just hours, but days. Many organizations would suffer significant losses without access to their data or services. For instance, many online retailers operate on platforms in the cloud. Service interruptions equate to complete closure of their stores in many cases.
Cloud computing is fairly new and we are learning as we go. As a result, security issues will arise, not only due to software bugs, but also just plain programming oversights. Time to market for new services can also make for rushed programming. Many organizations are building their own private clouds to overcome these and other risks. What are you doing to manage the vulnerabilities present with public cloud computing services?