Cloud Providers need to provide the tools to port data freely to other Cloud Providers and in-house systems. There are presently no standards for data file structures and this can make it extremely difficult for a customer to change providers; of course this suits the Cloud Provider by locking-in customers which may seriously affect the availability of your information.
(Wikipedia) About vendor lock-in
Perhaps your company is aiming to achieve ISO27001 or Cyber Essentials certification and some security controls belong with the cloud provider, in this case the cloud provider will need to offer evidence of their compliance to the controls. This could become an issue when the cloud provider is unwilling to permit a customer audit or cannot provide any evidence of their compliance.
When access to cloud providers is from a web browser connected to the internet this in itself is a risk, whereby anyone on the internet can try to breach your account with your password and username.
These is a serious risk when using the public cloud providers to support critical or sensitive data and under these cases a private cloud provider may be preferred.
As a cloud customer you may find it difficult to effectively check data handling procedures and processes to ensure the data is managed in a lawful manner and it is not contravening the data protection act. The cloud provider would need to show their data handling practices including evidence of where the customer’s data is stored, transported and replicated.
Multi-tenancy with shared resources are fundamental attributes of the cloud which may lead to attackers trying to breach the cloud’s hypervisor.
(wikipedia) About Hypervisor
Although this is quite difficult to achieve, if the hypervisor is breached the attacker could get access to confidential and sensitive data from multiple cloud clients using guest-hopping attack practices gaining easy access to many clients’ data.
Shared resources also present an issue with the security or incompleteness of data deletion where multiple customer’s data resides on the same hardware.
Although at this time this is a minimal risk, as cloud services grow the risk of malicious acts caused by employees will also grow.
Cloud provider employees are also likely to become unintentional targets of criminal elements particularly where the provider specializes in high-reward sectors for the criminal such as finance and healthcare.
Next time we’ll look at how questions which can be asked of a cloud provider to help mitigate the risks identified in this blog.