BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Are Cloud Providers Absentee Landlords On Cybersecurity?

This article is more than 10 years old.

Guest post written by Marc Maiffret

Marc Maiffret is chief technology officer of BeyondTrust, which sells security and compliance software.

Would you trust your sensitive corporate data in the hands of a stranger? Recent Amazon and Apple iCloud experiences tells us that cloud security across the board, needs to be enhanced, now, not later. Taking a look and understanding security strategies and responsibilities from both cloud providers and customers can help to prevent further failures.

The adoption of cloud services by both large and small organizations is rising. Without a doubt, there are benefits to this investment: competitive cost advantage, allowing budgets to focus on technology innovation rather than infrastructure, and considerable gains in time management. For instance, a young company that doesn’t have the capital to purchase the servers needed to develop new products now has the ability to rent their back-end infrastructure from a cloud provider for mere pennies an hour. This can provide a small business the same level of scaling capabilities as a company five times its size.

It’s clear that organizations that outsource to a cloud vendor often times make their choices based on price instead of security. Despite the undoubted advantages to efficiency and cost effectiveness, leveraging a cloud provider unfortunately welcomes many risks as well. While many C-level non-IT executives look to openly embrace cloud environments, security executives walk with much more trepidation.

In a recent study conducted by IDG Research, nearly 60 percent of respondents said were very concerned with data security and privacy in cloud deployments.

Vulnerabilities and exploits don’t discriminate. The same holes that exist for on-premise data storage and access also exist within cloud deployments. These risks should raise significant concerns in regards to breaches when housing sensitive assets in the cloud such as intellectual property and financial or customer data.

This begs the question, when a company is utilizing a cloud provider, who is actually responsible if a breach occurs? Who is responsible for what security measures are put in place? The apparent ambiguity as to who is responsible for securing the assets which makes up the private clouds creates the exact type of security gaps that attackers prey on. Questions such as these need to be raised as more companies continue to move massive amounts of data to cloud service providers.

The truth is that assets, in the cloud or on premise, are part of your business; treat them as such. You need to take the steps to secure those servers, and you have every right to, just as if they were sitting in your own server closet or data center. Moving your organization to the cloud is like entering a lease agreement with a services provider. You and your assets can occupy the premises but unless you have renters insurance you’re cooked if there’s a theft or fire. Even though you are renting from these providers, you still should look to cloud providers that allow your company a level of access that allows you to perform your own security assessments to verify the level of security that a cloud provider may or may not be implementing.

End user license agreements for most all cloud providers are consistent in stating they are not responsible for security. They are responsible for providing you with the servers with a certain level of network and system uptime, but little to no guarantees of security. With this being said, any element of trust in security of cloud providers is being tested. They might not even know when a breach has occurred. In a 2011 Ponemon study, 42 percent of respondents of cloud service providers indicate they would not know if their organization's cloud apps or data was compromised by a security breach or data exploit.

When shopping for a cloud provider, one of the requirements you should look for is the ability to have a level of access that allows your company to perform its own security assessments of the physical or virtual systems that house your data. Large cloud providers continue to adopt processes by which you are able to perform your own monthly assessment of the systems hosting your environment. This is not standard for all cloud providers and you should proceed with caution when using any cloud provider that does not let you peak under the hood.

Here are a few tips to on implementing a healthy cloud security strategy:

  • Include assets held in the cloud into your normal security and privilege access management strategy. This includes verifying that your cloud provider has detailed access log information and that you audit it regularly for anything suspicious.
  • On a monthly basis assess the state of security of your cloud systems by leveraging vulnerability management and security assessment solutions or services. For cloud providers that are providing you pure software as opposed to infrastructure or operating systems, request a copy of their monthly security assessment reports and remediation plans.
  • When employing a cloud service, review terms and conditions clearly, understanding the end user license agreements from a legal perspective can sometimes be your last resort.

Leaving private cloud security out of an organization’s integrated strategy creates a major security gap and opens an organization up to security breaches, data loss, intellectual property theft, and regulatory compliance issues. The value of leveraging cloud providers (cost, time and resources) can be fully realized if security measures are a high priority and remain that way - otherwise, it could potentially end up being more costly that planned.