Cloud services are an integral part of modern business, with as many as 94% of organisations using it for at least some part of their operations.
The reliance on Cloud services will soar in the coming weeks and months, as employees work from home where possible in the fight against the 2019 novel coronavirus pandemic. Separated from the office and local hard drives, employees will be able to use the technology to access, share and documents in real-time from a remote server, ensuring that business as unusual continues.
However, as is almost always the case, the benefits of convenience are accompanied by security risks. Let’s take a look at what you need to know about staying safe while using Cloud services.
The Cloud is not immune from data breaches
Some people mistakenly believe that storing information in the Cloud eradicates the risk of data breaches. There’s a kernel of truth in that, inasmuch as the way organisations’ approach cyber security will change when they use Cloud services.
That said, information in the Cloud is still stored in a physical location – a third-party server as opposed to your own – and if it’s accessible to you, then it’s accessible to criminal hackers. The only difference is that you now share the responsibility for its security with the Cloud service provider.
This generally means that the third party will take responsibility for the physical security of its servers and its general upkeep, while organisations must to protect the way information is accessed on its end.
Despite sharing responsibility for security, organisations still routinely fail to implement controls to keep their data secure. Indeed, a Gartner study found that 95% of Cloud breaches are the result of the result of misconfigurations
The most common of these errors are employees uploading a database to the Cloud but failing to establish password protections. That means that anyone who gains access to the location of the database has free access to it.
It’s a frustrating error, because the mistake is easily avoidable and can be exploited with almost no criminal hacking expertise. Unfortunately, the root cause speaks to a larger concern within the organisation.
That is to say, these breaches aren’t simply a series of cases where employees overlook part of the process. Rather, they are evidence of a systematic failure to provide staff awareness training and to create information security policies.
Other risks of Cloud computing
Human error isn’t the only thing you need to be concerned when using the Cloud. You should also be mindful of:
- Unreliable subcontractors
Subcontractors can make mistakes just as anyone can – particularly if they’re cutting corners to get the job done quickly.
Unfortunately, many organisations rely on subcontractors because they don’t have the expertise to establish a Cloud computing network themselves. If you find yourself in that position, make sure you use a reputable service provider.
- Public networks
Public Internet connections are, by their nature, more open and accessible than private ones. That makes them easier to use but also increases the risk of data breaches. Organisations must therefore decide whether the risks of using a public network outweigh the benefits.
- Deleting data when necessary
Organisations can easily lose track of how much data they store in the Cloud and how it flows each part of the business.
This means you could end up with large volumes of data sitting in folders unnecessarily. That will cause GDPR (General Data Protection Regulation) headaches, as you’re only permitted to hold on to personal data if you have a lawful basis to do so, but it will also exacerbate the risk of data breaches.
Cloud computing and the GDPR
Data retention isn’t the only GDPR-related concerned that organisations should have when using Cloud services.
Another huge issue is that, under the Regulation, it’s harder for data controllers (the organisations that dictate what information is processed) to pass the blame when a third party suffers a data breach.
Data controllers must give instructions on how service providers handle personal information.
Unless the third party has explicitly failed to meet one of the requirements, both organisations will be subject to disciplinary action should a data breach occur.
This is particularly important when it comes to Cloud services, because of the nature of the relationship between organisations and the risks involved.
Because information is stored online, it only takes one misconfigured database of phishing email for a breach to occur – and it won’t necessarily be clear where exactly the fault lies.
Secure your Cloud services
You can find out more about this topic by reading Securing Cloud Services: A pragmatic guide.
Written by security architect Lee Newcombe, this guide explains how Cloud computing works, the threats you must be aware of and how to develop a service model that protects you and your staff.