All types of data of an organization are not equally important for its business. Because of business criticality, some data need to be secured and private. The enormous computing power of cloud lurks every business to put their data in the cloud, but how do we know which data to put in the cloud and what are the security risk of the clouds. This post highlights top 10 cloud computing security risks and issues that an organization needs to consider before migrating their mission critical data to the cloud.
What do feel when you think about cloud security? Do you, at first, think whether your data is secured, maintaining its integrity and confidentiality? Data is the core of any business and we seem to avoid spending on data security unless we observe major data security breaches. Therefore, when we talk about cloud security, we, normally, mean the security of our data.
Remember that cloud security, primarily, dependent on the types of cloud service and deployment models. Cloud services types are SaaS, PaaS, IaaS . cloud deployment models are public, private, hybrid, community. Among all private cloud creates the most secured environment for data.
- Lack of control on data: as soon as clients put data on the cloud, the service provider takes control of data storage and security. Clients have little control on how data is being handled in the cloud. Since all the data is processed in the cloud, there is always a threat of data theft or unauthorized use of data. How about your marketing data is kept in the cloud and the service provider sells it to other marketing companies. Would you even know if your data is being stolen or used by your competitors? Besides, if you discontinue the service with the service provider, there is a possibility that your data will still be stored in their cloud in multiple locations. How would you ensure that your data has been permanently deleted from all the data centers.
- Transborder: When data passing between cloud users and data centers, it may pass through countries who may access to the data and read it unless the transmitted data get encrypted with strong encryption technique.
- Data rights: since a cloud service provider may employ many vendors to handle data or even can put data to other vendor’s cloud, it is extremely difficult to know who has what types of rights to the data.
- Vendor lock: there is always a possibility that you cannot switch to another cloud provider if you do not like the service of your current your service provider. This happens different cloud providers use different type of virtualization software and the file formats are yet to be standardized so as clients can smoothly switch to the other cloud providers whenever they wish to.
- Location of data and regulation: according to EU council directive 95/46, your data can be transferred to outside of European country only when the country where you are migrating your data to gives you data protection adequately.
- Data segregation: since your data will share the same physical location with other clients, you need to ensure that your data is properly segregated. Normally, most of the virtual machine can harden security of virtual instances ( where your data resides in a server and behaves like as a standalone server). Though it is a secure practice to avoid data co-location, it might increase your cost significantly.
- Data encryption mechanism: at first you need to identify what kind of encryption mechanism to use to protect your data. Do you think they are strong enough and how your encryption keys are managed-who has control over it. The types of authentication and authorization used to protect data are also a major security concern for cloud clients. Make sure that your cloud provider has the mechanism in place that can credibly prove to you that no data breach and unauthorized access has taken place.
- Data transmission: before you start using cloud facility, you need to somehow move your data to the cloud. How do you transfer your data from your office to the cloud? How your cloud provider transfer your data when they send multiple copies of your data to different data centers? Make sure that your data is encrypted with strong encryption system while they are in-transit.
- Data backup: how your data is backed up? Is it stored offline? If so, what are the procedures and policies for the data backup.
- Prevent data leaking: how do you know that your data is not leaking from your cloud service providers. Make sure if the data prevention program of your service provider can prevent data leakage and what types of data leakage can be prevented (flash drive, FTP, email , applications etc.). A cloud provider may consider generating data leak prevention audit report and show it to its customers to gain confidence. Besides, a cloud user need to know that the procedures used to grant privileged access to data.
Note: it is difficult to achieve security for an internal network. If it is so, then achieving security in a cloud, which is not located in your premise, is even harder. In a cloud environment, data do not reside on your premise, which does not mean that you do not have to be concerned about data privacy, identify and access management, physical security, incidence responses etc. In fact, these issues are more complex in a cloud environment.
Among all the cloud security risks, cloud data privacy seem to concern the cloud users the most since businesses always have the risk to lose its reputation and trust because of data leakage. If an organization fails to protect its own data, how its customers have confidence in them. Remember that IT also has an inherent threat of data leakage from its internal employees. Going for a cloud solution will always make your data expose to more risk. Therefore, before going for a cloud solutions, always think that what types of data you are going to store and process in the cloud, how those data are related to the critically of your business, and what level of risk you are willing to accept.