There is no doubt that moving to the cloud can be of great benefit to a business, giving it the ability to scale up and deliver new services quickly, however it also introduces a different set of risks that need to be understood properly.
The use of different devices to access cloud services, as well as the introduction of an external control, brings with it greater requirements around security. Using cloud services therefore has to be done in an environment that is safe for the business and its users and is compliant with whatever industry regulations it operates under.
The providers of cloud services have made significant investments when it comes to security in recent years and will continue to do so as the importance of hosted services in our daily lives is fuelled by the exponential growth in the data that we create. However there is also a responsibility on the customers of those cloud service providers to bake security into their own business processes. As the Cloud Standards Customer Council stated in its 2017 report, “the cloud service customer still needs to take responsibility for its use of cloud services in order to maintain situational awareness, weigh alternatives, set priorities, and effect changes in security and privacy that are in the best interest of the organization.”
So how do you make sure that you have the right approach to cloud security, and that your IT team is confident about it, particularly if they are not ‘cloud native’?
The good news is that at iomart, security is integral to everything we do – from the data centre infrastructure we operate, to the cloud services we design and implement for our customers.
In this article, we will look at how to strike the right balance between the opportunities and the risks associated with using cloud services and the data security issues involved.
Cloud security is proving to be one of society’s big challenge as we produce more and more data and as more businesses move their data and applications off their own premises. While the cloud offers greater flexibility and efficiency in the delivery of services, it introduces a dual or shared responsibility in the sense that both parties have to address their side of the security spectrum.
This shared responsibility model will determine the balance of responsibility for security and compliance between the two parties. Generally the responsibility for protecting the infrastructure that runs the cloud service (the hardware, software, networking and data centre facilities) will rest with the cloud provider. The customer’s responsibility will be determined by the sort of cloud service they decide to use. They might choose a service that makes them responsible for operating system management, firewalls and identity and access management for instance, or they might choose a service where they would rather that responsibility rested with the provider. Ultimately the security model for each individual cloud service is determined by the balance of control the customer wishes to retain in order to meet its legal and compliance obligations.
As many a news headline has shown, the cost of a data breach can run into millions of pounds for a large company. At iomart we understand that there is a fine line to be walked between getting maximum benefit from using the cloud and suffering reputational harm and financial loss by failing to adopt the right approach to security. That’s why we work with our customers to help them get their security strategies right.
Let’s take a more detailed look at the risks that exist.
What are the cloud computing security risks?
The proliferation of cloud services being used by organisations means that it can be hard to understand where data is being exposed to risk. Storing data without encryption and lack of multi-factor authentication for access can lead to loss of intellectual property, loss of management control, exposure to malware, compliance violations, contractual breaches with customers and partners and ultimately loss of customer trust and loss of revenue. By understanding the cloud services being used and the data being uploaded to them, the right security policies can be put in place.
Is cloud computing secure?
Cloud providers have made significant investments in the security of the infrastructure they provide as their services have matured. The ever increasing complexity of the toolsets required to secure the cloud has brought with it the introduction of enterprise grade controls and the adoption of industry-wide security certifications, as well as a focus on clarifying the shared responsibility model with their customers.
So what about the data in the cloud services you are using? Let’s take a closer look at the need to secure that data effectively and in a compliant manner.
As we’ve noted, the nature of a connected society inevitably means cyber criminals will continue to evolve their attack strategies. The rise of AI and machine learning will offer them new opportunities to disrupt access to and steal data. With business systems handling more data than ever before it is important to be as vigilant as possible in the way it is handled and protected.
What is data security?
Data security is the protection of data from unauthorised modification, destruction, or loss. Data can be compromised by accident, or deliberately. Data security in the cloud is achieved by using encryption, access controls and management practices to protect data across all applications and platforms.
Where is cloud data stored?
Data in the cloud is stored on physical servers located in a data centre that is managed by a cloud service provider. The data is remotely maintained, managed and backed up and can be accessed from any device and location that is authorised. Larger cloud service providers will replicate the data across multiple locations and use encryption to add extra security.
When it comes to personal data specifically, the introduction of the EU General Data Protection Regulation (GDPR) in May 2018 means that businesses in the United Kingdom are subject to new controls. It will therefore be even more important to know exactly where your data is being stored.
What does GDPR mean?
The GDPR requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. It is coming into force in the U.K. no matter what the outcome of the Brexit negotiations.
The requirements of the GDPR are exercising for all parties – both on the business side and for cloud service providers particularly because failure to comply could have severe consequences with fines of up to 4% of annual global revenue or €20 million, whichever is the greater.
What are the GDPR requirements?
If you are responsible for EU citizen data and use a cloud provider you will need to know that this data is stored in U.K. data centres. You will have to know who has access to it, and what the procedure is if there is a data breach. Your cloud provider will also need to make it clear what their processes are if you want to stop using their services. These are questions any reputable cloud provider should be able to answer. Happily at iomart we have been preparing for the GDPR for a long time and can tell you exactly which of our data centres your data is in and what measures we take to protect it.
With the onset of the GDPR it is important that you don’t make data security an afterthought. Due diligence needs to be done internally in your organisation and with your cloud provider.
Aside from complying with the GDPR, there are other ways to ensure that you and your cloud service provider are meeting your security obligations.
This is through the growing number of certifications that have been developed for the cloud industry.
What are the cloud security certifications?
There are a number of international industry standards and codes of practice that have been introduced in recent years to help reassure the users of cloud services. These can be used as guidance when selecting a cloud service provider. If you know that your provider has a high level approach to the management of governance, risk and compliance in their own operations then you can be confident that they have the same attitude to the cloud services they provide and the way they deal with your data.
iomart is proud to be the most accredited cloud service provider in the United Kingdom. Currently we hold eleven ISO accreditations and industry certifications, for which we are regularly and independently assessed. These include: ISO 9001 (Quality Management), ISO 27001 (Information Security Management), ISO 20000 (IT Service Management), and ISO 22301 (Business Continuity Management).
iomart was also one of the first UK cloud service providers to adopt the new international code of practice on cloud privacy ISO/IEC 27018, which was created to establish a uniform worldwide approach to protecting personal data in the public cloud. Robust risk management is embedded into our cloud management and cloud security systems.
By investing time and money to meet the growing array of international cloud and data management standards iomart can offer secure cloud services to organisations operating in many different regulatory environments and across both the public and private sector.
So, having weighed up the risks and the security measures that can be taken, let’s look at the threats that are out there.
Cyber-attacks have been listed by the World Economic Forum as among the most likely disaster events to take place in 2018.
The National Cyber Security Centre blocked 54 million cyber-attacks last year and it’s chief executive Ciaran Martin has already warned that it’s a question of “when not if” a big cyber-attack will hit the U.K.
What are cyber-attacks?
A cyber-attack is an attempt to steal data by exploiting a computer system, network or internet-enabled device. It can take many forms and can be conducted by individuals, organisations, businesses and nation states. Unfortunately cyber-attacks are becoming a fact of life in the technology age because information – financial, health, government data etc. – has significant commercial and political value. A cyber-attack can be launched via an email that looks authentic and urges the user to click on a link or download a file, or when a user visits an infected website. Even if the criminals don’t get their hands on actual data, they can hold the user to ransom by demanding payment (usually in cryptocurrency) for restoring the user’s access to it.
What are the types of cyber-attacks?
Criminals and hackers are constantly evolving the methods they use. Here are some of the most common forms of cyber-attack.
Malware: malicious software is installed on a computer. It takes control of your machine and monitors what you’re doing while extracting your data or encrypts it and demands money to restore it. One well known form of this is ransomware which the NHS is all too familiar with from the WannaCry attacks in 2017.
Phishing: users are invited to open what looks like a genuine an attachment with a link which then directs them to a fake website where their details are stolen.
SQL injection: this targets the structured query language used to manage databases by using malicious code to get the server to share data such as Personally Identifiable Information.
Drive-by: the user is compromised through their internet browser where malware is installed on their computer when they visit a compromised website.
Man-in-the-Middle: an internet session is hijacked by someone pretending to be the person or website you are communicating with so they can steal information.
Distributed Denial of Service (DDoS): where a computer system is compromised by a flood of incoming traffic from IP addresses around the world at the same time to the point where it slows down or stops working completely.
How can you prevent cyber-attacks?
By investing time and money in a formal cloud security strategy, you can help protect your business. This can range from regular patching of software, to consistently updating your guidance for accessing company data via devices both in and out of the office and educating all your staff about the threats that exist.
It’s important that your cloud provider understands the threats you potentially face and has invested in securing its own infrastructure through access controls, expert staff and industry accreditations.
Mobile device management; access controls; information sharing policy; data sovereignty; shadow IT – who’s using which cloud for what? All these issues need to be looked at when assessing your cloud security requirements. Continuing investment in strong perimeters, controlled access, monitoring systems and cyber security expertise means cloud providers can help you meet these requirements.
When looking at the wider picture, a multi-layered cloud security strategy, which also incorporates backup and disaster recovery (DR), is the ideal scenario. Backup and DR might seem an additional expense for an IT failure that might never happen, but as we’ve already seen, the threat is ever present so, just as you would insure the physical parts of your business like your buildings or your office equipment, backup and DR is the insurance for your information – ensuring that your systems are kept online in all circumstances and your data is protected.
The chances are that your business will use a variety of cloud services to achieve its aims as it grows. Therefore understanding the balance of responsibilities with the providers you use has to be at the forefront of your security strategy.
Moving to the cloud is not just a chance to become more flexible and innovative as a business, it also provides an opportunity to enhance security. The providers of cloud services offer security capabilities that many organisations would struggle to implement themselves. To be able to use their services with full confidence it is essential to understand your own organisation’s attitude to risk and that responsibilities exist on both sides.
Businesses are often dependent on a number of partners and suppliers, and staff may be accessing company information from a variety of devices, from a range of different locations, and often on the go. Cloud security does not stop at the office front door.
If you are undertaking any technology transformation that challenges your existing security model, iomart has the knowledge and security partnerships to take you through all the implications and help you make the right choices. With decades’ worth of experience delivering secure managed platforms, we help you understand and address the security, governance and risk implications of any digital transformation whether it involves public, private or hybrid cloud.
By working with a reliable and accredited cloud provider who takes cloud security seriously, your business will be better protected.
iomart offers a wide range of secure cloud services to meet the needs of all sizes of business.