SAN FRANCISCO – It’s not news that businesses are moving more of their data to the cloud. But even as cloud storage and computing have hit the mainstream, there are a lot of questions around the public cloud – ones that not everyone is asking.
For Mark Russinovich, technical fellow of Microsoft Corp.’s Windows Azure cloud platform group, the public cloud has helped businesses grow, but there are still many concerns for data security and privacy. He pulled together a list of 10 concerns that security professionals should consider when putting their organization’s data into a public cloud.
“We’ve coined a name for this – ‘cloud critical’ bugs,” said Russinovich, speaking from a session at the RSA conference in San Francisco on Thursday. “The cloud is at a much higher risk of exploitation, because there’s a lot of diverse data from businesses and industries.”
Here’s a roundup counting down 10 concerns he has with the public cloud.
10. Shared technology vulnerabilities
For Russinovich, one of the difficulties of the public cloud is that everyone using it has shared technology vulnerabilities. If a breach of the cloud happens it would look bad for every cloud vendor.
“We’d be notifying people, cleaning up, and bringing things back online,” he said. “But to customers, it’d be a big public cloud fail.”
For one thing, there’s no firewall attached to the public cloud, and there’s a huge variety of data in the public cloud up for grabs if hackers gain access to it.
Luckily, however, the public cloud is better at responding to threats, since most providers recognize how risky it would be to fail to defend it. Providers can’t wait for patches if they know about a vulnerability – instead, they need to automate software deployment, ensure they have strong detection tools for breaches, and are able to preserve their customers’ trust.
9. Insufficient due diligence
There’s a lot of talk nowadays about shadow IT, where employees come up with their own IT solutions and bring them to work. One of the most popular of these is the cloud. Russinovich said he’d even like to coin a phrase for it – he’d name it BYOIT – bring-your-own-IT.
IT departments need to ensure staff are complying with security best practices, he added.
8. Abuse of cloud services
While having a public cloud can be helpful, businesses run the risk of attackers taking it over and using it as a malware platform, or becoming botmasters taking advantage of trusted IP addresses.
The public cloud can also be used as storage for illegal content, like copyrighted content being stored through Pirate Bay, or inappropriate content like pornography, Russinovich added. And increasingly, security professionals might see people using the public cloud to mine Bitcoin.
7. Malicious insiders
When hiring employees who will be able to access data within the organization, there’s always the danger they may walk away with sensitive data, Russinovich said. He put up a picture of former National Security Agency contractor Edward Snowden on his presentation slide.
“It’s a real risk, better understood by third-party audits,” he said.
Ways to mitigate this risk include doing employee background checks, as well as security controls on what data each employee can access.
6. Denial of service (DOS)
Whether this happens through an attack – like a distributed denial of service (DDoS), or through an outage, customers don’t really care, Russinovich said. What they do care about is whether cloud providers are responsible.
For example, in August 2011, a lightning storm brought down the clouds of Amazon and Microsoft in Ireland. While that was an equipment failure, both Amazon and Microsoft shouldn’t have let that happen, Russinovich said.
That’s why it’s important for cloud providers to mitigate the chance of DoS by ensuring non-public applications are isolated from the Internet, and by setting up location-specific clouds. That way, if one cloud goes down, another can take over.
5. Insecure interfaces and application programming interfaces (APIs)
As the public cloud is still so new, a lot of APIs will crop up – and not all of them are particularly secure. Organizations need to ensure their APIs use strong cryptography, for example, Russinovich said.
4. Account hijacking and service traffic hijacking
It’s been said often, but organizations need to ensure their employees’ accounts are using strong passwords. While it’s not a problem unique to the public cloud, there’s a lot of data at stake, Russinovich said. IT administrators need to turn off any unused endpoints and should ensure their employees are trained to avoid opening strange attachments or clicking on suspicious links.
3. Data loss
A serious problem whether it happens because someone accidentally deletes or modifies data, or an attacker steals it or uses ransomware until paid.
Russinovich says companies should mitigate this danger through backups, as well as geo-redundant storage. There’s also the practice of deleted resource tombstoning – by ensuring it’s possible to recover deleted data by removing a tombstone, organizations can return data to their customers.
2. Data breaches
While this appears to be a very general heading, Russinovich said it’s an important one.
“Data is at the heart of the matter. The data is the company. If there’s no data, there’s no company,” he said. “It’s the most important asset, so there’s the highest risk of loss.”
So to defeat loss of physical media encrypt data and set up extensive physical controls, like a strict rule forbidding employees from taking anything out of a data centre. Or, an organization might make a rule that discs no longer being used should have to be destroyed.
At Microsoft Azure, no data is allowed to leave the building, and the company also uses third-party certifications like FedRamp to ensure its employees are handling data properly.
In giving his presentation at the RSA conference, Russinovich asked the audience whether they could hazard a guess to his final concern on the public cloud.
No one could, but he said as the public cloud grows more sophisticated people may stop focusing on what’s needed to secure it.
“This is new technology. We’re learning as we go,” he said.
The RSA conference ends Friday.