Cloud Computing Security Challenges and Considerations
To know cloud is to love cloud, but enterprises should also be mindful of the security issues that cloud computing can potentially pose.
Join the DZone community and get the full member experience.Join For Free
Cloud computing in its many forms, has proven to be a powerful, effective set of technologies which can provide even the smallest enterprise with significant benefits.
However, cloud computing does not come without its own challenges, including those that are security related. Below you will find an overview of the key security challenges faced by cloud computing adopters.
Lack of Visibility and Control
Relating to both public and hybrid cloud environments, the loss of overall service visibility and the associated lack of control can be a problem.
Whether you’re dealing with public or hybrid cloud environments, a loss of visibility in the cloud can mean a loss of control over several aspects of IT management and data security. Where legacy style in-house infrastructure was entirely under the control of the company, cloud services delivered by third-party providers don’t offer the same level of granularity with regards to administration and management.
When it comes to visualizing potential security vulnerabilities, this lack of visibility can lead to a business failing to identify potential risks. In some sectors, such as media, cloud adoption is as low as 17%, which has been blamed on this lack of visibility and control.
Data Breaches and Downtime
Despite the fact that generally speaking, enterprise-grade cloud services are more secure than legacy architecture, there is still a potential cost in the form of data breaches and downtime. With public and private cloud offerings, resolving these types of problems is in the hands of the third-party provider. Consequently, the business has very little control over how long critical business systems may be offline, as well as how well the breach is managed.
In the 12th annual Cost of Data Breach Study, sponsored by IBM, it was found that the global cost of data breaches amounted to $3.62 million, so we can see how this particular issue is a major one with regard to cloud adoption.
For companies that come to rely heavily on public and hybrid cloud platforms, there is a danger that they become forced to continue with a specific third-party vendor simply to retain operational capacity. If critical business applications are locked into a single vendor, it can be very difficult to make tactical decisions such as moving to a new vendor. In effect, the vendor is being provided with the leverage it needs to force the customer into an unfavourable contract.
Logicworks recently performed a survey that found showed that some 78% of IT decision makers blame the fear of vendor lock-in as a primary reason for their organization failing to gain maximum value from cloud computing.
In sectors such as healthcare and finance, where legislative requirements with regard to storage of private data are heavy, achieving full compliance whilst using public or private cloud offerings can be more complex.
Many enterprises attempt to gain compliance by using a cloud vendor that is deemed fully compliant. Indeed, data shows that some 51% of firms in the USA rely on nothing more than a statement of compliance from their cloud vendor as confirmation that all legislative requirements have been met.
But what happens when at a later stage, it is found that the vendor is not actually fully compliant? The client company could find itself facing non-compliance, with very little control over how the problem can be resolved.
A Lack of Transparency
When a business buys in third-party cloud services as either a public or hybrid cloud offering, it is likely they will not be provided with a full service description, detailing exactly how the platform works, and the security processes the vendor operates.
This lack of service transparency makes it hard for customers to intelligently evaluate whether their data is being stored and processed securely at all times. Surveys have shown that around 75% of IT managers are only marginally confident that company data is being stored securely by their cloud vendor.
Insecure Interfaces and APIs
Cloud vendors provide their customers with a range of Application Programming Interfaces (APIs), which the customer uses to manage the cloud service.
Unfortunately, not every API is entirely secure. They may have been deemed to be initially, and then at a later stage be found to be insecure in some way. This problem is compounded when the client company has built its own application layer on top of these APIs. The security vulnerability will then exist in the customer’s own application. This could be an internal application, or even a public facing application potentially exposing private data.
Insufficient Due Diligence
For companies that lack the internal resources to fully evaluate the implications of cloud adoption, then the risk of deploying a platform that is ineffective and even insecure is real.
Responsibility for specific issues of data security needs to be fully defined before any deployment. Failing to do so could lead to a situation where there is no clearly defined way to deal with potential risks and solve current security vulnerabilities.
Shared Technology Vulnerabilities
Using public or hybrid cloud offerings can expose a business to security vulnerabilities caused by other users of the same cloud infrastructure.
The onus is upon the cloud vendor to see that this does not happen, yet no vendor is perfect. It is always possible that a security vulnerability caused by another user in the same cloud will affect every user.
Other Potential Threats
Alongside the potential security vulnerabilities relating directly to the cloud service, there are also a number of external threats which could cause an issue. Some of these are:
- Man in the Middle attacks – where a third party manages to become a relay of data between a source and a destination. If this is achieved, the data being transmitted can be altered.
- Distributed Denial of Service – a DDoS attack attempts to knock a resource offline by flooding it with too much traffic.
- Account or Service Traffic Hijacking – a successful attack of this kind could provide an intruder with passwords or other access keys which allow them access to secure data.
There can be no doubt that cloud computing is a valuable technology for many businesses. However, as can be seen from this short article, simply buying in cloud services is not a sure-fire way to eliminate data security problems. The business still needs to take responsibility for monitoring its own data security footprint and have processes in place to deal with any vulnerabilities which are discovered. Furthermore, considerations such as vendor lock-in, service transparency, and visibility need to be fully evaluated before making a commitment to a specific cloud vendor.
Opinions expressed by DZone contributors are their own.