In today's IT environments, you would be hard pushed to not find some element of cloud usage. Whether that be email, storage or virtual machine hosting and computational power, this is no more evident than the 2018 growth statistics for Microsoft's Office 365; sitting at between 2 and 3 million new accounts added each month.
This relentless path to more cloud adoptions has many benefits, ranging from better cost models, lower in-house costs and less maintenance of physical equipment. The ability to share resources among multiple cloud customers is also undoubtedly good for the environment too.
But, it is not all cloud nine.
There are some serious security challenges to overcome in the cloud, here are our top 5...
1. Data Residency
It's probably not the first threat which comes to mind but given the changes in information security law in several different regions, over the past 2-3 years, data residency is now a question which is at the top of any cloud customers agenda.
Often, the question is: where is my data going to be processed/stored?
This most likely is in relation to the GDPR (General Data Protection Regulation), due to its strict requirements on ensuring that personal data remains in parts of the world where there is sufficient protection.
[Have you checked out "Making your MSP Offering GDPR Friendly - 4 Things to Consider"?]
There are some other things to consider too however. Such as, whether any cloud technical support engineers might have access to data stored in their platform and where they are located?
How backups are managed, stored and transported to long-term hosting solutions?
2. Lack of Control During Downtime
The worst case scenario for any IT manager with significantly importantly services in the cloud is having any downtime or an outage.
It is in these instances that there is a distinct feeling of a lack of control, in comparison to solutions hosted in-house. You will likely not know what the problem is, how long it will take to resolve and whether there has been some loss of data, as a result.
Most cloud providers have up-time promises which allow for some margin of error; often a couple of hours per year. Even the biggest of the cloud providers such as Microsoft have had instances of downtime as recently as this year.
[You might also be curious to read "4 Reasons why the Future is Cloud"]
The most important thing to be aware of is that these occasions are inevitable; and as a result it would be wise to have some kind of plan.
3. System Vulnerabilities
We all scan our in-house systems for vulnerabilities regularly, right?
Well, if you don't, you should, and you should also be asking your cloud hosting and service providers if they do too. Known system vulnerabilities are chinks in armour which are waiting to be exploited, and with cloud providers being a larger target to those wishing to exploit than your in-house network, you can bet that someone is testing those defenses regularly.
The good news is that many cloud providers have accreditation's which require some form of regular vulnerability scanning, whether that be SOC2, PCI-DSS or Cyber Essentials.
Yet nevertheless, ensure you ask your cloud hosting and service provider about their vulnerability scanning and patching programmes.
4. Cloud Service Hijacking
A data or network breach is one thing, but what about instances where an entire service can be hijacked?
There are countless examples today of this type of attack taking place, particularly in relation to cloud-based email and phishing attacks.
Today, the success of a phishing attack is largely determined by how genuine it can appear to be; and hackers know this. Being able to hijack an entire cloud-based email instance allows hackers not only access to email but also the capability to impersonate someone else by using their genuine email account.
It has become relatively common for an email service to be compromised by someone attempting to authorise large payments from the hijacked company/organisation into foreign bank accounts, from an email account with authority, such as a Head of Finance.
5. Larger Attack Target
With tens, hundreds and maybe even thousands of companies and organisations using a cloud-based service, the target of attack changes from the company or organisations in-house network, to that of a cloud host or service provider.
As a result, your data or service is at greater risk from both an outage or theft.
Cloud hosts and service providers tend to have stronger security than in-house networks; and better resiliency due to their combined spending power. However, it would be foolish to assume they are immune to becoming victim.
Make sure you question your cloud host or service provider on how they will lower the risks of using their solutions to an acceptable level.