Charles Fox, Enterprise Architect Cyber Warfare at BT, takes the cyber threat seriously. While cloud computing has obvious benefits, it also carries risk. And as a customer of cloud computing services, it is crucially important that you understand your responsibilities in tackling cloud security risks.
In this interview, Charles explains the risks and key role of understanding everyone’s responsibility (as partially covered in our cloud security checklist). Let’s start with the key risks associated with cloud computing as Charles summarizes them.
Charles Fox: The risks will depend on the model that you’re using: public cloud versus private cloud. Public cloud services are popular because they offer agility and instant on-demand processing, but they also carry significant security risks. Bear in mind that most of the classic security risks pertaining to premises-based infrastructure still exist in a cloud setup; where your data is partially controlled by a third party, you are in effect taking on additional risks.
When you procure a public cloud service you typically lose some control over IT architecture, over where your data is stored and over access control. And often there is confusion about the respective responsibilities of customer and cloud service provider. In a private cloud setup you have much more control over all of these issues and that is why a lot of enterprise customers opt for a hybrid cloud model where they try to harness the best of both worlds: private cloud for mission critical and Personally Identifiable Information (PII) and public cloud for less sensitive data and non-critical applications.
Cloud security risks: part of a broader context
Are we exaggerating the security risks regarding the cloud or is it just the opposite; we’re not taking them seriously enough?
Charles Fox: I don’t think we are overrating the cloud security issues, for at least two reasons. Firstly, cloud computing is simply one aspect of a broader trend that also includes mobility, social media and BYOD. Those trends are inter-connected and compound the security risk. Irrespective of whether you are adopting cloud computing for enterprise computing, your employees are likely to be using both their own devices and consumer-geared public cloud services and could unintentionally be leaking sensitive data.
For example, last year the Oregon Health and Science University had to notify more than 3000 patients that some of their medical information was stored on a non-HIPAA compliant public cloud service. Some of their physicians-in-training had decided to use Google Drive to share personally identifiable patient information, probably because the existing enterprise system was too cumbersome to use. The intent might have been good, but they ended up violating HIPAA (which in itself can result in civil and criminal penalties) and causing significant reputational damage to the institute. This case illustrates the importance of good security governance; your employees really need to understand security policies.
Secondly, the demand for public and community cloud solutions is leading to an awful lot of consolidation of intellectual property and personal data in multi-tenant infrastructures. These concentrated setups are becoming very attractive to criminals and hence they’ll spend a lot of money and effort to break in. Adobe recently reported a cyber attack that stole the source code of several of its software products and the personal data (including passwords) of approximately 3 million customers. They later had to up that number to 38 million. So in response to your question, no, I don’t think we’re underestimating the security risks.
Evolving cloud security risks
How do you see cloud security risks evolving in the future? Will the cyber threat get worse or better?
Charles Fox: It’s always difficult to predict the future, obviously, but it does seem clear that both the nature of the threat and the actors involved are changing. The top threat associated with cloud computing is data breaching – the theft of corporate data – not just by criminals but increasingly we’re seeing state actors getting involved. There have been a number of reports showing that state actors are actively stealing IP that is valuable to the economy. Looking at the type of attacks I expect to hear more about session hijacking, spear phishing, vulnerable APIs and denial of service attacks. Unintentional data loss is also set to rise, in fact we have already seen a significant amount of such data loss. Nearly 4 out of 10 customers have experienced data loss from their cloud infrastructure due to staff accidently deleting data.
Cloud computing isn’t only an opportunity for the good guys, the bad guys are increasingly exploiting the benefits of cloud computing. For example, criminals are sourcing huge volumes of processing power from cloud providers to power their attacks. The running joke in the industry is that next to SaaS, Iaas and PaaS, there is tremendous demand for AaaS, otherwise known as Attack as a Service. In a multi-tenant environment there is also the risk that criminals will break through partitions and make it look as if legitimate customers are attacking each other, causing reputational damage.
You have described two types of threats: those from entities with criminal or malicious intent, and unintentional threats, typically from staff. How do they weigh up against other?
Charles Fox: Malicious threats tend to have a bigger profile, however I would like to draw attention to the fact that the unintentional insider threat is usually much bigger than the malicious insider threat! Note that the insider threat isn’t limited to your own staff; mistakes can also be made by personnel at your cloud service provider or other ICT suppliers.
Responsibility: what to expect from who
So how do we protect ourselves against these threats and what can I expect from my cloud service provider in that regard?
Charles Fox: When choosing a cloud service provider, make sure that your provider has a strong record of operational best practices and is compliant with international standards such as ISO 27001. At every level of their operations a cloud service provider should comply with best practice. This includes the vetting of personnel, the controls over subcontractors and suppliers, the physical security measures at data centres, identity and access management, and security governance. This latter point also covers potential conflicts of interest, for example that no person should be responsible for both inputting and auditing data.
Ultimately, however, you remain responsible for your own data. That is probably the most important message I can impart here. You as the customer are the owner and controller of your data, and hence you are responsible for that data and will need to make sure that you are complying with the regulatory regimes. If your data is moved from one location to another and that happens to break a Data Protection law, then you are liable. Therefore it is your responsibility to have in place a robust security governance system, a system that not only covers your own security measures but also the SLAs with your cloud service provider. Do not simply rely on default contracts because these often do not go far enough in covering all the security and compliance risks.
Most companies’ Business Continuity plans were designed to cover their classic on-premises infrastructure but as they move to a cloud model, they often neglect to extend the scope of their Business Continuity plans to include those 3rd party providers. They assume that the cloud service provider will take responsibility for backing up data and other such issues, but that is not always the case. Providers do have a clear responsibility at the level of physical infrastructure and the network, but at the level of server configuration and especially at the data level it is the customer who is responsible. The most important tip I can provide is that you should engage your security team holistically across your overall cloud strategy and make sure that you understand where your data is and who has access to it.
Make sure that you retain control over your data, since ultimately you will have to deal with the consequences of losing your data.
Download our cloud security checklist:
“Making the Cloud Secure: BT’s Cloud Security Guide”
Also read:
Together, Everyone Achieves More — more than just an acronym?