What are the security risks of cloud computing?

cloud security risks

Why do we need cloud storage?

There was a time when sharing information between computers required people to exchange floppy diskettes.  With the onset of the networking era and the Internet coming into its own, emails with attachments became prevalent (one could argue they still are).  Then, the email clutter becoming a bit much to handle, and the fact that mail servers couldn’t handle very large files as attachments, people started turning to USB drives (just bigger floppy disks in a way).  This went on for several years until cloud storage came along and completely changed the way people share files.  Dropbox and Google deserve much of the credit for completely changing the file synchronization and sharing paradigm in such a fundamental way, that now several players (Microsoft and Apple included) are in the race to dominate the cloud storage domain.

What are the security risks of cloud computing?

While cloud storage has certainly revolutionized the way people store and share data – all is not as well as it might seem. The problem is a little thing called Privacy.

Most of the companies that provide customers online storage in the cloud have privacy policies, but that doesn’t necessarily mean they’re guaranteeing your privacy.  In many cases, when you say “I agree” to a Privacy policy, you’re actually granting the company certain permissions and/or licenses to your data.  If you read through the legalese patiently, you’ll find out that in almost all cases, you’re giving away permissions to these companies and allowing access to your information to varying degrees.  With several cloud services, the cloud vendor gets a license to your information as soon as you upload it.  One leading cloud drive vendor’s terms of service state clearly that you’re giving them the “right to access, retain, use and disclose your account information and your files”.  Twitter has a more user-friendly policy that states that it will only disclose user information “in compliance with US law to valid legal process.  For example, requests for contents of communication require a US search warrant”.   But the fact remains that your data is still not private, even if only from the US government.

What amplifies this risk is how simply ubiquitous cloud-based storage has become.  Your employees probably routinely use file-sharing services to exchange sales and marketing data, not to mention strategic plans in the form of PowerPoint slides.  Most new services are now available exclusively in the cloud – be it source code control repositories, customer resource management tools, or HR management software.

This whole situation is set to get a whole lot worse shortly with the wave of IoT – or the Internet of Things.  IoT implies a world where a number of things that many of us don’t consider computers will have a chip in them and be connected to the internet.  While many think of IoT as being something that only affects individual consumers (who wear smartwatches and drive smart cars), the reality is that IoT will impact businesses just as much.  This could be in the form of energy meters in offices, parking meters in parking lots, or air conditioning units and refrigerators in factories.  So, all of these will soon be speeding along the internet superhighway whether we like it or not.  And the main thing these objects will be doing on the internet is – you guessed it – transmitting large volumes of data.  Many companies are devoting their time to solving the Big Data problem this is going to create and what kinds of analytics tools they should use to mine the wealth of information they suddenly get as a result, but few if any are worried about customer privacy.

While much of this information can be used to improve products and provide better services to customers, the reality is also that the information isn’t private anymore.

This is the conundrum that most users have to wrestle with when it comes to cloud storage.  How do you trade off the convenience with the compromise of privacy?  Sadly many users are unaware of the implications of saying “I agree” to the privacy policy – and the ones that do care have simply reconciled to the fact that they can’t store certain types of information on public cloud storage.  Hardly an optimal situation.

What can you do to overcome the security risks of cloud computing?

Fortunately, there are solutions that don’t need you to make these compromises.

1. Encryption

One approach is to encrypt the data that is kept on the cloud storage.  But, wait – surely companies like Google and Dropbox are encrypting the data their customers are entrusting to them?  Sure, they are – but they are using encryption keys which also allow them to decrypt the data should they want to.  It is locking your front door, but entrusting the keys to Dropbox or Google.  Would you feel as safe about that arrangement as you would if you had the keys with you?  Probably not.

An approach that works is to have a way to encrypt the data, with your encryption key, before it leaves your home or office on the way to the cloud.  And similarly decrypt the data as it comes back into your home or office and before it gets served up to you on your computer or tablet or smartphone.  Solutions such as this exist – but they’re inherently a bit clumsy because they are software-based solutions that require you to download a special client onto your computer which performs the encryption and decryption for you.  Apart from the fact that it is difficult to fit these solutions into the seamless workflow, you may be used to when using Dropbox or Google, there’s the question of how this will work if you’re working from a different computer; or accessing Dropbox’s portal directly.

2. Tokenization and Obfuscation

Another approach that is especially useful when you’re using a SaaS application is to have software that intelligently monitors the data traffic as it leaves and enters your data center. Using pattern recognition methods, the software can identify strings that may be confidential in nature or personally identifiable information (PII) and selectively obfuscate those. This is done in such a way that the SaaS application server in the cloud still believes it is dealing with valid data. When data is returned back into the data center from the SaaS servers the process is reversed for the benefit of end-users.

3. Private (or personal) Clouds

Yet another approach that is really simple is to simply not put your data out there in the public cloud. What if you are able to get all the benefits of a cloud storage solution including sync, share, etc. but with a private cloud? One that you can host inside your company’s data center, or even inside your home? Such an approach is indeed practical and such solutions do exist as well. With the increase in awareness around privacy and the pitfalls of letting personal data take its course in the hands of the public cloud vendors, we’re sure such solutions are going to gain currency and become more mainstream.

Conclusion

The public cloud comes with several cloud security risks. Fortunately, there are several technologies you can use to protect yourself. We’d be interested in hearing what you think. Would you choose, encryption? Or Tokenization? Or perhaps you feel secure simply using a private cloud that you have complete control over. Write to us – we’d love to hear from you.

For more details or if you wish to explore more, get in touch with our experts and ask for a callback.

Write to us at info@parablu.com to learn more.