SAN FRANCISCO – It’s not news that businesses are moving more and more of their data to the cloud. But even as cloud storage and computing have hit the mainstream, there are a lot of questions around the public cloud – ones that not everyone is asking.
For Mark Russinovich, technical fellow of Microsoft Corp.’s Windows Azure cloud platform group, the public cloud has helped businesses grow, but there are still many concerns for data security and privacy. He pulled together a list of 10 different concerns that security professionals should consider when putting their organizations’ data into the public cloud.
“We’ve coined a name for this – ‘cloud critical’ bugs,” said Russinovich, speaking from a session at the RSA conference in San Francisco on Thursday. “The cloud is at a much higher risk of exploitation, because there’s a lot of diverse data from businesses and industries.”
Here’s a roundup counting down 10 concerns he has with the public cloud.
1. Shared technology vulnerabilities
For Russinovich, one of the difficulties of the public cloud is that everyone using it has shared technology vulnerabilities. If a breach of the cloud were to happen, that would look bad for every cloud vendor.
“We’d be notifying people, cleaning up, and bringing things back online,” he said. “But to customers, it’d be a big public cloud fail.”
For one thing, there’s no firewall attached to the public cloud, and there’s a huge variety of data in the public cloud up for grabs, if hackers were to gain access to it.
Luckily, however, the public cloud is better at responding to threats, since most businesses recognize how risky it would be to fail to defend it. Businesses need to be aware they can’t wait for patches if they know about a vulnerability – instead, they need to automate software deployment, ensure they have strong detection tools for breaches, and be determined to preserve their customers’ trust.
9. Insufficient due diligence
There’s a lot of talk nowadays about shadow IT, where employees come up with their own IT solutions and bring them to work. One of the most popular of these is the cloud. Russinovich said he’d even like to coin a phrase for it – like the bring-your-own-device trend, or BYOD, he’d name it BYOIT – bring-your-own-IT.
What IT departments need to do is to help their organizations’ employees with implementing the cloud and ensure they’re complying with security best practices, he added.
8. Abuse of cloud services
While having a public cloud can be helpful, businesses run the risk of attackers taking it over and using it as a malware platform, or becoming botmasters taking advantage of trusted IP addresses.
The public cloud can also be used as storage for illegal content, like copyrighted content being stored through Pirate Bay, or inappropriate content like pornography, Russinovich added. And increasingly, security professionals might see people using the public cloud to mine Bitcoin.
7. Malicious insiders
When hiring employees who will be able to access data within the organization, there’s always the danger they may walk away with sensitive data, Russinovich said. He put up a picture of former National Security Agency contractor Edward Snowden on his presentation slide.
“It’s a real risk, better understood by third-party audits,” he said.
Ways to mitigate this risk include doing employee background checks, as well as security controls on what data each employee can access.
6. Denial of service (DOS)
Whether this happens through an attack – like a distributed denial of service (DDoS), or through an outage, customers don’t really care, Russinovich said. What they do care about is whether cloud providers are responsible.
For example, in August 2011, a lightning storm brought down the clouds for Amazon and Microsoft in Dublin, Ireland. While that was an equipment failure, neither Amazon and Microsoft should have let that happen, Russinovich said.
That’s why it’s important for cloud providers to mitigate the chance of DOS by ensuring non-public applications are isolated from the Internet, and by setting up location-specific clouds. That way, if one cloud goes down, another can take over, he added.
5. Insecure interfaces and application programming interfaces (APIs)
As the public cloud is still so new, a lot of APIs will crop up – and not all of them are particularly secure. Organizations need to ensure their APIs use strong cryptography, for example, Russinovich said.
4. Account hijacking and service traffic hijacking
It’s been said time and time again, but organizations need to ensure their employees’ accounts are using strong passwords.
While it’s not a problem unique to the public cloud, there’s a lot of data at stake, Russinovich said.
He added IT administrators need to turn off any unused endpoints, and that they need to ensure their employees are trained to avoid opening strange attachments or clicking on suspicious links.
3. Data loss
Whether this happens because someone accidentally deletes or modifies data so it can’t be accessed, or if an attacker steals it or uses ransomware to encrypt it until he or she is sent a sum of money, this is definitely a problem for the public cloud, Russinovich said.
And of course, there’s always the chance an organization could lose data through a natural disaster – for example, a flood or hurricane destroying its servers.
Russinovich says companies should mitigate this danger by setting up backups, as well as geo-redundant storage. There’s also the practice of deleted resource tombstoning – by ensuring it’s possible to recover deleted data by removing a tombstone, organizations can return data to their customers.
“This is something we’ve learned through painful lessons,” Russinovich said.
2. Data breaches
While this appears to be a very general heading, Russinovich said it’s an important one.
“Data is at the heart of the matter. The data is the company. If there’s no data, there’s no company,” he said. “It’s the most important asset, so there’s the highest risk of loss.”
For example, if an attacker gains access to data’s physical media – for example, a disc holding the data – that’s a problem. A fix might be to encrypt that data and to set up extensive physical controls, like a strict rule not to allow any employees to take data out of a data centre. Or, an organization might make a rule saying any discs that are no longer used should be crushed by a disc-destroying machine.
At Microsoft Azure, no data is allowed to leave the building, and the company also uses third-party certifications like FedRamp to ensure its employees are handling the data properly.
In giving his presentation at the RSA conference, Russinovich asked the audience whether they could hazard a guess to his final concern on the public cloud.
No one could, but he said as the public cloud grows more and more sophisticated, the data in that cloud may take over and we may stop focusing on what we need to do to secure it.
“This is new technology. We’re learning as we go,” he said.
The RSA conference continues until Friday.