Cloud Security: So Are We Secured (or Not)?

The recent Panama Paper scandal has left many organisations wondering if their level of security is adequate

During Lava’s early days, a good three to four of the initial meetings were spent educating prospects about cloud technology before we could delve further into the product offerings itself. This was partly due to the lack of clarity on how the cloud operates but more importantly because the security and safety of data on cloud had to be addressed in great lengths.

Today, whilst questions are still raised, it is seen more as a required checklist to be crossed-out by the vendor versus genuine worry or doubt in the security capabilities of trusted cloud providers.

Related: The 60 Second Data Security Checklist

A personal opinion on this is that cloud security is one which is being confidently overlooked unless you’re in the financial sector, government sector (where sensitive and confidential data is involved) as well as GLCs (government-linked companies) from certain fields where cloud is only just being explored (largely adopting a wait-and-see approach to its GLC counterparts).

It is interesting to note some of the concerns that have been raised with regards to cloud security. Here are two of the most frequently asked questions that have been raised across customer meetings, marketing events, and inbound query calls:

 1. External threats via the internet are a bigger threat on the cloud vs the IT infrastructure located within your own backyard.

Security threats are certainly a concern with the Cloud Security Alliance quoting data breaches, account hijacking, insecure APIs and denial of services being some of the issues. These are known threats which require continuous up-to-date prevention initiatives.

However, whilst the threats on the cloud are real, the level of scrutiny for detection and protection that needs to be taken by a hosting provider or on one’s own infrastructure is similar to that which is required for a cloud infrastructure.

Considering the volume, experience and coverage of true cloud infrastructure providers such as Google and Amazon, simple cost + effort & benefit comparisons should easily drive security choices in favour of the cloud.

Google for example shares that it protects customer data in-transit over the internet with SSL encryption. Its admin and security controls passed a ISAE 3402 Type II audit and they are the first cloud-based messaging and collaboration suite to achieve US FISMA (Federal Information Security Management Act) certification.

Two years ago, Google raised their bar even higher in their efforts to step up on security. Besides creating new security teams, their engineers discovered and helped fix vulnerabilities like Heartbleed and Poodle, and took a series of concrete steps to  increase the security of their customers’ information by:

• making sure every single email sent or received is encrypted while moving internally between their data centers.
• releasing End-to-End, a Chrome extension that encrypts information between your browser and the intended recipient.
• ensuring all files uploaded to Google Drive are encrypted on Google servers — in addition to files which are in-transit, as they are being shared on the web.
• launching a physical security key that provides second-factor authentication through your computer’s USB port. They are also working on admin tools to let you deploy this within a smaller scale in your organization.
• giving business users control to share responsibility with IT, providing a wizard to secure your account and a new dashboard to monitor device activity.

Thorough security assurance is definitely wanted by many organisations but the question is would your own team or local hosting provider be able to invest in the same efforts to achieve such control?

According to Gartner analysts, the common cloud computing myth is that “it is perceived as less secure. This is more of a trust issue than based on any reasonable analysis of actual security capabilities. To date, there have been very few security breaches in the public cloud — most breaches continue to involve on-premises data center environments. While cloud providers should have to demonstrate their capabilities, once they have done so there is no reason to believe their offerings cannot be secure.”

During a conversation I had over coffee with the Head of IT of a large manufacturing group in Malaysia that has gone cloud, she shared that she would rather trust the security of her data with world class players over having it in her own backyard.

In addition to this, the burden of having resources to manage and monitor such storage systems in lieu of them contributing to their value added roles is removed.

Whilst security is an important part in each of our businesses, security and uptime is the heartbeat and survival point for cloud providers as it determines their long term survival in the business (hence the added effort by cloud providers to be at the top of their game to deal with the latest threats).

  2. Cloud security is a new challenge

The truth is that cloud security is not new; it’s not even unique. The underlying concern of security in relation to protection of the infrastructure and data is still prevalent regardless of whether it’s with a hosting provider or having it in servers in your own office.

Cloud technology provides the opportunity of virtualization which allows more security in comparison to having it stored in one physical environment. Sharding (no, not sharing) of data provides better opportunity for encryption and makes it much tougher for potential hackers to hack.

This is because data will be likely stored as fragments across a range of machines that are logically linked and reassembled on demand rather than as a single contiguous data set.

Public clouds are fundamentally multi-tenant to justify the scale and economics of the cloud so justifiably security is a common concern. Whilst traditional security perimeter is a network firewall, the cloud security perimeter now becomes the hypervisor and/or underlying cloud application. To date, cloud security has been commendable, but it is dependent on the cloud service provider and requires a solid design and operational rigor that prioritizes security.

Data and systems control sharing to a 3rd party requires proper internal control to ensure that not every Tom, Dick & Harry has access. It is crucial to work with your cloud service provider and/or partners and understand about security from technical, operational, and control perspectives. The provider’s experience and testimonials as stewards of customer systems and data should provide you the assurance (or lack of it) in making your call on their security reliability.

Views shared are based on typical misconceptions or hearsay that tend to influence opinions on cloud security. It is important for organisations to examine and establish the security requirements relevant to its nature. Considerations may be done based on sensitivity of information, criticality of application and various other factors.

Decisions ultimately need to be done with appropriate matching of their application and system requirements to the right cloud solution that meets not only their functionality requirements but importantly the level of security and SLA standards. However setting of such security standards need to be done with proper consideration as to what is reasonable and sensibly required for their nature of business and operations.

Bibliography
5 Cloud Security Myths Debunked
Cloud Security Myths and Strategies Uncovered
What does sharding of data mean for cloud security?
Three myths about cloud security
5 Myths about Security in the Cloud
Rackspace
Gartner Highlights the Top 10 Cloud Myths
Data Security in 2014

By Mithran Balakrishnan, Commercial & Corporate Strategy Director of Lava Protocols.

Lava is an authorised Cloud Partner of Google and is a reseller of G Suite (previously known as Google Apps, Google Maps for Work, and Google Cloud Platform) in Malaysia. With more than a decade of experience in the industry, we’re proud to say we’re one of the leading cloud consultants and service providers in the Asia Pacific region.