How Using a Cloud Provider Impacts Security Risks

A company planning to secure its IT environment generally focuses on a broad range of vulnerabilities to its data center as well as ways to safeguard sensitive corporate, customer, and partner information wherever it’s located. A hybrid cloud environment changes things because, although ultimately it’s your company’s responsibility to protect and secure your applications and information, many challenges arise when you’re working with an external provider. Here are a few of those challenges:

Multi-tenancy: In a multi-tenant architecture, a software application partitions its data and configuration so that each customer has a customized virtual application instance. However, your applications and data exist on the same servers as other companies using the same service provider, and these users are accessing their resources simultaneously. You may not know the names of the other companies that are sharing these servers. So, if one company’s data or application is breached or fails for any number of reasons, your application may be affected.

Attacks that affect you, even though you aren’t the target: If your company makes use of a public cloud, you may be the collateral damage in an attack, even if it wasn’t meant for you. Consider a virus attack, for example. Because you’re sharing an environment with others, even though you may not be a target, your resources may be affected, resulting in a service interruption, or worse.

Incident response: In a cloud environment, you may not have control over how quickly incidents are handled. For example, some cloud providers may not tell you about a security incident until they’ve confirmed that an actual incident occurred. As a result, you won’t know something has happened until it affects your business. Additionally, if you become aware of an incident, you may not have access to servers to perform an analysis of what went wrong.

Visibility: The preceding example illustrates that in many cloud environments, you may not be able to see what your provider is doing. In other words, you may not have control over your visibility into your resources that are running in the cloud. This situation is especially troublesome if you need to ensure that your provider is following compliance regulations or laws.

Non-vetted employees: Although your company may go through an extensive background check on all of your employees, you’re now trusting that no malicious insiders work at your cloud provider. This concern is real because close to 50 percent of security breaches are caused by insiders (or by people getting help from insiders). If your company is going to use a cloud service, you need to have a plan to deal with inside as well as outside threats.

Data issues: If you’re putting your data in the cloud, you need to be concerned about a number of issues, including the following:

• Making sure no unauthorized person can access this data.

• Understanding how this data will be segregated from other companies’ data in a multi-tenant environment.

• Understanding how your data will be destroyed if you terminate your contract.

• Understanding where your data will be physically located.

• Understanding how your data is treated as it moves from your location to your provider’s servers. Data issues are so important in a hybrid cloud environment that we’ve devoted a whole chapter (Chapter 11) to it.

Multiple cloud vendors: Some cloud providers may actually be storing your data on a different cloud provider’s platform. For example, cloud provider A may need extra capacity and move your account to a separate cloud environment supported by cloud provider B. It is therefore important to understand where your data in the cloud is actually located. Once you gain this information, you must make sure all of the parties are complying with your security requirements. In the earlier example, for instance, you need to make sure that Vendors A and B are both doing a thorough job of vetting employees.

Different applications and resources might demand different levels of security. If you’re not providing time-sensitive data to the cloud, for example, you may not be as concerned about incident response time as someone who does. The point is this: You need to ask yourself how much you have invested in what you’re putting into your cloud environment. If you’re very concerned about what happens if there’s a service interruption or what happens to your resources, you need to practice due diligence. What happens in the cloud can affect your cloud resources as well as those on your business’s premises. It’s best to be prepared.

Even when cloud operators have good security at the physical, network, operating system, and application levels, your company is responsible for protecting and securing its applications and information.