The big picture: why cloud systems need a security boost

The cloud is getting bigger and bigger, as a glance at the revenue figures for some of the biggest providers demonstrates vividly.

Last year, IBM achieved a $17 billion turnover in its cloud business, a jump of almost a quarter on the previous year, with the final quarter’s figures up by nearly one third.

Microsoft, another of the top three cloud providers (the other is Amazon), meanwhile won $18.6 billion worth of cloud business in 2017, helped by almost a doubling in sales by its Azure platform.

Cloud computing revenues worldwide have been forecast to jump from about $290 billion this year to around $380 billion in 2020, with annual growth averaging about one fifth.

So, it seems that companies are embracing the cloud with a vengeance, some perhaps encouraged by the better deals that have resulted from the highly competitive marketplace facing cloud vendors.

Yet for all the growth as companies look to strengthen ties with customers and make themselves more innovative, security remains a concern.

One report published earlier this year by the Cloud Security Alliance (CSA), Top Threats to Cloud Computing Plus: Industry Insights, highlighted a dozen threats.

Top of the list was data breaches which, reports have noted, can affect a number of types of information that should be kept private, ranging from the commercially to the personally sensitive. Application vulnerabilities, mistakes and lax security measures are among the factors sometimes blamed for data breaches.

While such breaches are often the first thing thought of when it comes to cloud security, they are just part of the picture.

Other concerns highlighted by the CSA include account hijackings, the consequences of the actions of malicious insiders, data loss and denial of service. There are numerous others.

But that does not mean that the cloud is riskier than the alternative of keeping data in-house.

“Can any computer be attacked? The answer is yes. It’s difficult to exclude that because we discover attacks every day,” said Professor Vladimiro Sassone, of the Electronics and Computer Science Department at the University of Southampton in the United Kingdom.

“In terms of security, [cloud-based systems] are as liable to attack as any other … [but] the big providers are getting very good at understanding the issues.

“It’s not because somebody is a cloud provider that their computers are more secure. It’s because they have large teams whose mortgages are paid by defending against attacks.”

As a result, Sassone is “reasonably … able to trust them” to keep abreast of cyber security challenges and to cope better than those who lack a similar level of resources and in-depth expertise. As he puts it light-heartedly, “Google is better at security than my dad is”.

“Either you keep your system off the internet and you will be reasonably guaranteed no one will access it, or you keep it on the internet,” he said.

“At that point you put your data on a public cloud or your private computer. The risk is the same, [but] as a small company you have fewer tools to cope with the problem than a larger provider.”

There is also likely to be a substantial cost penalty associated with trying to keep things in-house. It is, says Sassone, “so much more expensive” for medium-sized companies.

“In terms of efficiency and cost there’s no comparison,” he said.

So it is perhaps no surprise then that, as Andrew Martin, a professor of systems security at the University of Oxford’s Department of Computer Science, describes it, concerns over the cloud seem to have “settled down”.

“A lot of companies have come to rely on the contractual guarantees they get from the cloud companies as satisfactory for their purposes. It depends on the business sector but, in general, it’s happening,” he said.

A similar view is taken by Jay Heiser, research vice president at the IT and business consulting company Gartner, who says there has been “a significant increase in the amount of sensitive data that’s hosted in the public cloud”.

“That in itself is indicative of growing willingness to trust the public cloud,” he said.

According to Heiser, the focus should not be just on the cloud providers themselves when it comes to security. Companies using their services too have a responsibility to take more care.

“Most of [the security concerns] involve instances in which an organisation has chosen to share large amounts of sensitive data without strong authentication around it,” he said.

As an example, he cites Amazon Web Services where, with “a few more steps”, privileges can be limited, yet “the majority of organisations” have chosen to freely share data “without much concern over access controls”. Heiser does not mince words when he talks about the consequences of this.

“The greatest set of security exposures within the public cloud are these deliberately opened up data shares. It’s a self-inflicted wound,” he said.

“It’s by far the biggest vulnerability and it’s something organisations need to be cognisant of; don’t let people share files publicly.”

Given the rapid pace at which cloud computing has developed, it is perhaps no surprise that expertise in dealing with the security issues surrounding may be perceived to be lacking. Heiser notes that few security specialists grew up using the cloud.

“There are a core group of developers who have been using public cloud services for a number of years. They’re taking the lead within enterprises. The security people are struggling to keep up with them. I think that’s an issue,” he said.

“I think it should be self-evident that if you want to do something sensitive, you should understand how to do it, but it’s becoming an increasingly embarrassing problem that this desire to use it exceeds the capability to do it safely and effectively.”

These issues are likely to become more acute “as cloud computing morphs into computing”.

“It’s on its way to becoming the default. It could be two years or 10 years, but it’s working its way towards becoming the default mode, which is raising lots of practical questions,” said Heiser.

As well as putting strains on the cyber security experts in the private sector, the increasing complexity of the field is also causing issues for regulators, who can struggle to keep up with a fast-changing field that does not naturally operate within national borders.

No wonder then that there is plenty to keep university researchers such as Martin busy. Some of the current hot topics in cloud-based security concern supply chain management because, say, one cloud provider may be reselling its services to another.

“As we get more and more sophisticated cloud services, it becomes harder for the user or the corporate customer to know who’s providing the services,” said Martin.

“A file-sharing service doesn’t necessarily own the service that provides the storage for that file sharing. They might rent the services from another provider.

“As a user of the commercial service, we don’t really know if the provider in a safe way or encrypting or accessing to another provider that you don’t have a contract with, potentially in another country.”

There are many challenges ahead but, despite the concerns, organisations such as government departments are increasingly relying on the cloud. As Martin puts it, they often now “only keep the really sensitive stuff in house”.

The cloud, it seems, is going to keep on growing.

Previous ArticleNext Article

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.


The free newsletter covering the top industry headlines