As usage continues to expand across industries around the world, it’s apparent that even more mission-critical operations and services will be moved to the cloud in the coming years.
According to a recent survey from Business Cloud News, the majority of respondents are planning a significant increase in cloud adoption in the next two years. This predicted growth of the cloud begs some questions about the current state of the cloud, including the hidden sources of risk with public cloud usage.
While many enterprises are clearly realizing promised benefits, there are still challenges and a consistent set of concerns. Before companies can move a new process to the cloud or expand current deployments, they need to understand the risks. In this slideshow, Perspecsys, a leader in enterprise cloud data protection solutions, takes a closer look at five hidden sources of risk associated with public cloud usage.
Public Cloud Security Risks
Click through for five security risks organizations should investigate before moving critical data to the cloud, as identified by Perspecsys.
Security Policy Enforcement
Risk #1: Failure of IT security policies to extend to the cloud.
Enterprise data privacy and security teams (informed by the client’s compliance team) work hard to define data protection policies. But when it comes to data leaving the organization’s secured network environment and going to a public cloud, they lose control of the ability to enforce these policies. Loss of data governance can plague enterprise cloud projects.
According to the Cloud Standards Customer Council, “For public cloud deployments, consumers necessarily cede control to the cloud provider over a number of issues that may affect security. At the same time, cloud service-level agreements (SLA) may not offer a commitment to provide such capabilities on the part of the cloud provider, thus leaving gaps in security defenses.”
Overlooking Data in Use
Risk #2: Overlooking data in use.
Data in use is, effectively, the data that has been loaded into a process and is in the memory of the program that is running. In general, this data is in the clear while being processed and is typically not protected by techniques such as data-at-rest encryption provided by cloud service providers (CSPs).
The lifecycle of cloud data includes three phases: at rest, in transit and in use. Organizations need to focus on protecting the complete data lifecycle. There is a growing concern about securing data in use since new attack vectors are emerging that specifically target data in this phase.
Perspecsys explains that in general, this data is secure while being processed, however, it is typically not protected by techniques such as the in-cloud-based encryption provided by a cloud service provider. The recent Heartbleed exploit is a good example of a data-in-use attack. The Heartbleed attack exploited a vulnerability in OpenSSL, which allowed attackers to directly access the memory space of the affected process, leaking sensitive data in use such as usernames and passwords. Moreover, if the data in use is in the clear, it is technically feasible for a cloud service provider to “tap” the data in response to a request from a third party, such as law enforcement.
Lack of CSP Security Evaluation
Risk #3: Lack of enterprise evaluation of CSPs security provisions.
The number of enterprises with a process in place to evaluate the security practices of potential cloud partners has actually decreased from 54 percent two years ago to just 44 percent currently. (Source: “U.S. State of Cybercrime Survey,” conducted annually by CSO magazine.)
We know many enterprises are still depending on the cloud service provider (CSP) to be primarily responsible for the security of the cloud application. The truth is, there may be a significant gap between what is promised by a CSP in its SLAs and what the customer will actually experience. Some organizations find that CSPs engage in more measures ensuring the security and compliance of their own data than they do with hosted data.
In fact, Gartner has published research over the past year highlighting that buyers of commercial cloud services – especially software as a service (SaaS) – are finding security provisions inadequate. The research calls for contracts to have more transparency to improve risk management by eliminating ambiguous terms regarding data confidentiality, data integrity, and recovery after a data breach. Ambiguity makes it difficult for service providers to manage risk and defend their positions to auditors and regulators.
Retention Policy Issues
Risk #4: Data retention policy issues after the contract with the CSP ends.
At the end of the contract, if it does not work out or simply when you want data to be erased, the onus is on you, the enterprise security team, to be sure that the data will be securely erased or returned to you (or the equivalent protection).
Other areas that create friction to adoption include interoperability with other cloud-based and on-premise systems and disaster recovery. And for many global organizations, the need to comply with an increasing array of country-specific data residency regulations – which restrict cross border data flows – is frequently being cited as a common cloud adoption challenge. Adopting the cloud is more complicated than many enterprises realize – particularly in the area of data security.
Risk #5: Data compliance shortcomings.
Data compliance regulations like PCI DSS, ITAR, SOX, GLBA, HIPAA and HITECH offer specific guidance on handling personal information and cloud compliance for sensitive data. As the CSO, you don’t want to be left holding the bag for a surprise non-compliance situation involving your public cloud environment. Know your CSPs and their ability (or lack thereof) meet data compliance guidelines.
For example, the Gramm-Leach-Bliley Act (GLBA) Financial Privacy Rule requires institutions to provide an annual notice to customers explaining how their data is maintained and shared as well as the steps that are taken to protect it. Clearly, the use of the services of an outside cloud provider complicates matters greatly. Loss of full control of the data makes compliance with this rule quite challenging. Also, the Safeguards Rule requires institutions to implement an information security program and the adoption of public cloud services can significantly complicate this task. Many financial institutions are wrestling with the loss of data control that comes with the business benefits of cloud adoption.