The Security Risks of Cloud Services

The Cloud

It’s been a while since we looked at the security benefits so it’s time to move on to the security risks of cloud services.

Of course we need to understand that all businesses have a risk appetite which is generally compensated by business opportunity or perhaps wanting to move the risks to a more secure environment. I suggest that any company wishing to use a Cloud Provider for their sensitive or confidential data perform a risk assessment prior to making that commitment and being sure to select a suitable Cloud Provider; I am here to help you with this!

Loss of Control

By using a cloud provider you are losing your security governance which may affect the security or the credibility of your business.

If your company has invested heavily in security related certifications e.g. ISO27001 or PCI DSS then the scope of your information management system (ISMS) will have changed and it might be expected that the cloud provider must provide similar security controls. Service Level Agreements (SLAs) could be put in place but it is difficult for a Cloud Provider to be “all things to all people” whereby the cloud provider will find it difficult or impossible to make commitments to all their clients through SLAs.

The cloud provider may use outsourced services from third party suppliers who are unknown to you which could be a competitor or demographically located outside your preferred supplier areas of operation.

Data Portability. Vendor Lock-in

Cloud Providers need to provide the tools to port data freely to other Cloud Providers and in-house systems. There are presently no standards for data file structures and this can make it extremely difficult for a customer to change providers; of course this suits the Cloud Provider by locking-in customers which may seriously affect the availability of your information.

(Wikipedia) About vendor lock-in

Certification

Perhaps your company is aiming to achieve ISO27001 or Cyber Essentials certification and some security controls belong with the cloud provider, in this case the cloud provider will need to offer evidence of their compliance to the controls. This could become an issue when the cloud provider is unwilling to permit a customer audit or cannot provide any evidence of their compliance.

Remote Access

When access to cloud providers is from a web browser connected to the internet this in itself is a risk, whereby anyone on the internet can try to breach your account with your password and username.
These is a serious risk when using the public cloud providers to support critical or sensitive data and under these cases a private cloud provider may be preferred.

Data Protection

As a cloud customer you may find it difficult to effectively check data handling procedures and processes to ensure the data is managed in a lawful manner and it is not contravening the data protection act. The cloud provider would need to show their data handling practices including evidence of where the customer’s data is stored, transported and replicated.

Shared Resources

Multi-tenancy with shared resources are fundamental attributes of the cloud which may lead to attackers trying to breach the cloud’s hypervisor.

(wikipedia) About Hypervisor

Although this is quite difficult to achieve, if the hypervisor is breached the attacker could get access to confidential and sensitive data from multiple cloud clients using guest-hopping attack practices gaining easy access to many clients’ data.

Shared resources also present an issue with the security or incompleteness of data deletion where multiple customer’s data resides on the same hardware.

Malicious Insiders

Although at this time this is a minimal risk, as cloud services grow the risk of malicious acts caused by employees will also grow.

Cloud provider employees are also likely to become unintentional targets of criminal elements particularly where the provider specializes in high-reward sectors for the criminal such as finance and healthcare.

Next time we’ll look at how questions which can be asked of a cloud provider to help mitigate the risks identified in this blog.