A few minutes and a couple of clicks is all it takes to set up a cloud account. You may not even think twice before signing up for cloud applications such as Gmail or Azure. But are you ignoring security in the process? Do you know where your data is stored or who can access it? Cloud services are easy to set up and convenient to use, but they also increase security vulnerabilities.
Cyberattacks are on the rise, making it more important than ever for business owners to understand where their business’s data is stored and who can access it. If you own a small business that depends on the cloud to store and share data, then you may be prone to hacking attempts that can damage your reputation and lead to penalties.
In this article, we’ll look at the basics of cloud computing, explain key cloud security risks you should be aware of, and suggest ways to overcome them.
Cloud computing is the delivery of software applications and IT resources (e.g., servers, networks, storage, processing power, data centers) over the internet. Simply put, you rent IT tools and services from a cloud service provider (CSP) instead of buying and maintaining them yourself. The CSP is responsible for upgrades or maintenance, and you pay a fixed subscription fee (usually monthly or annually) for the services you use.
You can either opt for public cloud or private cloud services. In the former, you share a set of cloud resources with other businesses or cloud users, while in the latter, you have access to dedicated resources. Private cloud services are costlier, as the CSP provides dedicated services for your business.
Software-as-a-Service (SaaS): In this model, third-party vendors deliver software applications over the internet. You don't have to install the cloud application on your computer and can access it online by logging into your account. G-Suite and Dropbox are some examples of SaaS.
Infrastructure-as-a-Service (IaaS): In this model, vendors deliver IT infrastructure services such as servers, data center, storage, virtualization, and networking over the internet. IaaS services are a cost-effective alternative to physical hardware and IT infrastructure. Microsoft Azure and AWS are some examples of IaaS.
Platform-as-a-Service (PaaS): In this model, third-party vendors deliver the platforms and tools needed to develop software applications. PaaS users are usually software developers, and the service saves them from the trouble of writing codes from scratch. Google App Engine and Microsoft Azure are some examples of PaaS.
DDoS attacks, ransomware attacks, account takeovers, and data breaches are some common types of cloud security threats. Let’s discuss the key risks you should be careful about when adopting cloud technology.
When using the cloud environment, you may not have a clear idea of where your data is stored, how it’s stored, and who can access it. Though you get benefits, such as ease of use and low upfront costs, data visibility and control take a back seat.
For instance, your SaaS provider may be relying on another cloud company to host your applications and data, leading to an obscure chain of command that further reduces control and visibility for you.
This lack of visibility and control diminishes your ability to establish clear rules about how your data is to be collected, where it should be stored, who’s accountable for protecting it, who can access it, etc. Inadequate data governance in the cloud can result in noncompliance with regulations and result in penalties for your business.
Ask questions about where and how your data will be stored, what rights you and the provider will have over it, and who'll be responsible in case of data loss. Also, ask if you can add additional security measures to improve visibility and control over your data in the cloud.
Regulations, such as GDPR, require you to inform customers about how you store, process, and use their data. You also have to take customers’ consent before sharing their data with third parties.
When you use cloud computing, you rely on your CSP to ensure your customers’ data is stored and processed per the regulations concerning your line of business, and that can be a compliance challenge.
First, the security measures followed by your CSP may not be relevant to or strong enough for your industry of operation. Also, your provider may not be willing to disclose how they’re following data security standards. They may not even let you audit their compliance policies, which can further complicate matters and lead to hefty fines and penalties for your business.
When selecting a CSP, ask the right questions to ensure your data is in safe hands. In GetApp’s 2020 Business Model survey [*], 81% of respondents agreed they don’t inquire about vendors’ regulatory compliance practices when purchasing software.
Check if the provider follows data protection measures relevant to your line of work. Research the provider’s current clientele to see if they’ve worked with companies in the same industry as yours. We recommend partnering with a CSP that has a good track record in data security compliance.
In the cloud, your data is managed by a third party—i.e., your CSP—which increases security risks.
Though your CSP has taken all required data security measures, hackers may still get through, and things can get worse if you're using a public cloud shared by multiple tenants. You can get victimized (experience downtime or a data breach) even if you aren’t the primary target.
Malicious co-tenants in a public cloud may also hack your data if there are flaws in the CSP’s data separation methods. Careless insiders (e.g., your employees) are another cloud security risk. They could be using weak passwords, sharing their passwords with others, or using insecure mobile devices. Negligent insiders are usually targeted by hackers to take over your cloud accounts.
Inquire about the types of data security measures—encryption, firewalls, access controls, backup, DDoS attack protection—used by the CSP. Also, check if any business continuity or disaster recovery clauses or terms and conditions are mentioned in the service level agreement (SLA).
What happens when you delete your data from the cloud? Is it removed completely, or does it leave traces behind?
Research has shown type: entry-hyperlink id: 7GNX8JlNMvyo3LCrXLtwUB that deleting a file stored in the cloud doesn’t necessarily mean no copy or instance of the file exists elsewhere. Cloud providers regularly copy your files to multiple data centers as backup and to ensure uninterrupted service.
When you delete a file, your provider often marks it as “deleted” but doesn’t remove it from the cloud server immediately. The file is, instead, parked at a separate location. You’ll have to request a permanent deletion to remove all traces of your file. And even after that, you can’t be too sure it’s completely erased.
Ask clearly what will happen to your data when you terminate the cloud service. Inquire how the provider will back up your data and where the backup data will be stored (personal servers or third-party servers). Ensure the provider has provisions to delete the backup data completely when you request for it.
Gartner estimates through 2025, 99% of cloud security failures will be due to mistakes made by customers rather than cloud providers . To ensure your business isn’t one of that 99%, take all necessary security precautions. Here are the top data protection measures you should consider adopting.
Your CSP may already offer data encryption, but it’s recommended you use additional encryption methods to add an extra layer of protection to your data. Encryption helps mask data from hackers, even those using complex algorithms. Use encryption for data stored in the cloud as well as in-transit—i.e., when it’s being moved from your site to the cloud provider.
In multifactor authentication (MFA), you add an extra user verification method (e.g., OTP sent to your mobile or biometric verification) to access your cloud account, besides the usual username and password. This additional step will help prevent hacking attempts in case your employees share their passwords by mistake or if a hacker guesses their password.
Careless actions by your employees can lead to accidental deletion or loss of data from the cloud. Also, untrained employees may not be able to spot phishing emails and thus become easy targets of account takeover attacks. Train your employees on security best practices for cloud applications using online training programs, AR- or VR-driven training, webinars, etc.
Data backups are crucial in the event of information loss due to DDoS attacks or other related threats. Your CSP may already be backing up data in the cloud, but you should also do the same at your end. Determine a backup frequency and opt for a disaster recovery plan that suits your needs. Here are some market-leading backup software tools to consider.
Cloud infrastructure has some inherent security risks, but don’t assume all cloud applications have weak security. There’s no need to worry if you’ve chosen the services of a reputed CSP and are following all security measures. Remember, the cloud is a more secure option if your IT team is inexperienced or understaffed or if you lack an IT team altogether.
When using cloud resources, be mindful of the risks we’ve discussed and use our suggested security measures to protect your data over and above what your cloud vendor has promised. Also, consider investing in software tools to strengthen your security efforts. Here are some top-rated IT security tools you can check out.
A Review of Assured Data Deletion Mechanism in Cloud Computing, International Journal of Engineering & Technology
Is the Cloud Secure?, Gartner
[*] The Business Model Survey referenced in this article was conducted by GetApp between June 18-23, 2020 among 577 respondents who reported executive leadership roles at small businesses with 500 or fewer employees. Of the total respondents, 465 were small businesses with less than 250 employees and 112 were midsize businesses with more than 250 employees.
Note: This document, while intended to inform our clients about the impact of technology on business, is in no way intended to provide legal advice or to endorse a specific course of action.
Toby Cox - Guest Contributor
Explore by topic