More and more confidential information is moving towards the cloud, and if Cisco’s projection is correct, we can expect, if not already, vast volumes of information processed and stored by business to be typically cloud based. This data moving trend is the most radical change in information security since the dawn of the commercial Internet, and presents a major shift of the security perimeter.
Blindly trusting cloud service providers to deliver a level of security which is in tune with the business risk appetite, and the information security policy is foolhardy. Every security professional knows it is ‘Security 101’ to never to assume, yet security can be left on the sidelines by business leaders, as they are led starry eyed by tech giants like Microsoft and Google, into trusting the security of cloud services. Security assumptions enforced by tours of spotless multi-million pound data centres, which disguise most of the risks posed in the modern digital age.
One risk often brushed under the carpet, is the fact that any United States cloud service provider, is subject to the United States Patriot Act and the Foreign Intelligence Surveillance Act (FISA). These laws allow US government agencies and law enforcement to covertly and secretly acquire UK business data, even when the service provider’s data centre is located within European Union, or even on UK soil. This potential third party intrusion can be highly significant with some businesses in the UK, especially those with central government and MOD as clients. UK defence contractor BAE Systems, was forced to pull the plug on moving to the Microsoft's Office 365 cloud solution, after data sovereignty could not be guaranteed.
Cloud service providers are third parties, and as such should be treated to the same rigour of risk assessment and due diligence, as with any other third party the business permits connectivity with, or shares information. But such processes are often shirked in the mad cloud rush, missing the opportunity to fully appreciate risk, and where necessary apply risk treatment. There is no reason why the security of cloud services cannot be scrutinised by customers, and where necessary security improved. For instance encrypting data client side is a simple method to assure information confidentiality, preventing the cloud service provider staff, US agencies, and in the event of a security breach at the cloud service provider, malicious actors from accessing and acquiring the business’s confidential information.
Another aspect often overlooked with cloud services is availability; a typical and incorrect business assumption is that cloud services are not prone to outages. Yet there have been frequent outages with cloud services, even the world’s largest cloud service provider, Amazon Web Services (AWS), has had frequent availability issues. For example, last August an AWS outage took down social networking applications including Instagram and Vine. Going hand-in-hand with the service availability stakes, is the increased importance of onsite internet connectivity resilience, which is increasingly becoming ever more essential. Given cloud services are becoming more core to the business operations, business resilience in provision of access to such services must not be overlooked.
Information security practitioners have to accept cloud is here to stay, and rise to the new challenges this new information security frontier presents, standing alongside business executives, instead of being dragged along on their coattails in futile protest.
The post is brought to you by Cisco