Don’t Trust The Cloud To Secure Your Storage
SMBs may be putting their storage in the cloud with their fingers cross. Lisa Vaas says, at least encrypt your data first!
In cloud storage land, it’s all roses, sunny skies and rock-solid security with fewer employees frittering away less time on securing data—that is, if you trust vendor-funded studies.
For example, Microsoft released a study this week that shows that 35 percent of small and midsize businesses have experienced higher levels of security in the cloud. (Whatever that means; I requested the full study to seek more granular detail, but neither Microsoft nor study preparer comScore had answered by the time this was published.)
Security management time for these lucky organisations is also reduced by 18 hours a week, according to comScore’s report summary. However, does that mean per information security professional or per company? This isn’t explained.
Do security failures move to the cloud?
But how does that compare to noncloud SMBs? The surveyed SMBs told comScore that they spent an average of 19 hours per week managing IT security, compared with noncloud SMBs, which on average spent 25 hours.
So that means that before they move storage into the cloud these SMBs spent a whopping 37 hours per week (19 plus the reported savings of 18 hours = 37 hours total) managing security, compared with the 25 hours that noncloud SMBs spend.
Does that mean that cloud users are in the habit of spending so much more time managing security than their noncloud peers? Does it mean they’re more frequently victimized by cyber-threats? Does it mean they’re somehow not doing security right?
These results might point to a large number of SMBs turning to cloud because they’re simply overwhelmed by the task of security management—small wonder, given the amount of time it’s sucking up for them.
This hypothesis is backed up by the fact that 41 percent of the surveyed cloud users felt that their cloud service provider was “entirely responsible for information security,” according to the report summary.
SMBs don’t have time for security
The numbers paint an image of overburdened SMBs, desperate to offload their entire security burden to somebody else. Fortunately, a larger number, 57 percent, felt they shared responsibility with their cloud provider.
And that’s exactly where organisations’ heads should be when it comes to cloud storage security, because you just can’t wipe your hands clean of certain elements of cloud security. As the report notes, organizations that turn to cloud still need to retain, for example, responsibility for client security.
It’s in cloud service providers’ interest, of course, to spin the data to show that security worries about embracing cloud storage are easing. Left out of the service providers’ rosy picture, of course, are situations such as the MegaUpload debacle, in which millions of users who stored data on the file-sharing service faced losing their documents forever when the law shut the site down for copyright infringement.
Interestingly enough, when Sophos polled conference attendees about cloud storage riskiness at Infosec Europe in April, 64 percent of the respondents said they thought that cloud storage is risky, but 45 percent said they still went right ahead and used it.
In general, people who attend security conferences are more attuned to security risk than those who do not, so I’d trust their perceptions over those reported in a cloud service vendor-funded study. But then again, security vendors make their money from security risk, so mix the results of surveys together, add a dollop of your own real-life experience and see what floats to the top, credibility-wise.
One of the biggest takeaways from the Sophos survey was that employees use cloud even when its security proposition is iffy and even when they don’t have their bosses’ permission. It’s just too easy to exchange and share and store files in the cloud; you can’t expect people to pass it up.
Chris Pace, a product specialist at Sophos, said you’ve just got to assume that users will take advantage of cloud services and prepare for the technology’s inherent security vulnerabilities. Otherwise, ungoverned employee use could lead to data compromise.
Encrypt your cloud data
His thoughts are that one of the most essential components in organisations’ responsibility for securing data that goes to the cloud is file encryption that’s done before the data leaves their grasp. The user gets a password to decrypt and the business keeps the keys. “It’s their data, after all,” he says.
Whether businesses are using cloud services without official sanction, thanks to employees, or whether they’re using cloud because they (wrongly) think cloud will solve all their security problems, all organisations should be aware that all cloud services are not created equal.
Symform, provider of cloud network services, offers a few security issues to consider when choosing a service provider:
- Some clouds encrypt your data while it’s in the cloud, but leave it in the clear while it’s being transported.
- Others, though they encrypt the data before storing it, transport the data to their data center via a single Internet connection, creating a single point of attack and potential failure.
- Cloud providers have distinctly different ways of generating, storing and managing encryption keys.
Pace recommends these other, simple precautions:
- Web-based policies using URL filtering;
- application controls that can be applied to cloud products; and
- data encryption that provides a layer of security across the board.
To which I would add one more bullet point:
- Keep backup copies of data uploaded to the cloud, lest you get MegaUploaded.
Does your cloud knowledge inspire confidence? Try our quiz