16-04-2018 | | By Paul Whytock
Public cloud computing and storage services are rapidly becoming the norm and overtaking the alternative strategy where companies build their own private cloud.
But will this trend open more doors through which cyber criminals can infiltrate company networks?
This question follows news this week that hackers are launching more online attacks against British businesses than ever before. The warning comes from the National Cyber Security Centre and the National Crime Agency.
There is no doubt that public cloud services are a booming business to be in. Cisco's Global Cloud Index analysis indicates that by the time we enter the next decade over 70% of cloud computing services will be handled by public centres.
This of course is terrific news for the companies battling each other in the public cloud arena and suggests that corporate revenues are set to escalate.
Today there are several dominate players and these are Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform. The majority of industry analysts position AWS as leader of the pack, particularly when it comes to the revenues it creates. However, Azure is hot on its heels and Google is very comfortably lurking in third place.
But what does it all mean to the person in the street when it comes to the security of data held about them? The sheer size of a business does not bring with it cast-iron assurances that security will not be breached. Take the recent harvesting of Facebook where information about over 80 million users was obtained.
But when it comes to making sure public cloud services are secure and that data is protected there exists a dichotomy. Responsibility for ensuring watertight security does not as you may think entirely lie with the cloud service provider. Certainly they have a huge interest in making sure their network is very secure but interestingly some of the responsibility also lies with the cloud services customer or, in other words, the company that has chosen to use a public cloud rather than creating its own cloud service operation.
So what should these potential public cloud customer companies be looking out for? According to the Cloud Security Alliance (CSA) there are some key public cloud security issues that specifically relate to the way in which cloud computing operates through its fundamental concept of shared and available-on-demand facilities. So what are they? Prime among them of course are data breaches whereby a network has been deliberately targeted or where security systems have proved either inadequate or not sufficiently updated, or it could be through plain old human error by an employee.
One of the major security problems pointed out by the CSA is where illegal entry into a network is made by posing as legitimate users, operators, or developers that can read, modify, and delete data, issue control and management functions, spy on data in transit or release malicious software that appears to originate from a legitimate source.
Insecure interfaces are another key security area where Cloud operators provide software user interfaces or application programming interfaces that customers use to manage and interact with cloud services. It is imperative that these are capable of nullifying both accidental and malicious attempts to circumvent security.
Further network insecurities can be the result of account or service hijacking. This is not a new idea but cloud services add a new opportunity. If attackers gain access to a user’s credentials, they can eavesdrop on activities and transactions, manipulate data, return falsified information and, very importantly, redirect clients to illegitimate sites.
A particularly pernicious and difficult security infiltration to deal with are Advanced Persistent Threats (APTs). These worm their way into the network structure of the targeted company and then steal data. This can happen gradually over a long time and during that period the APT can very cleverly modify itself to deal with the security measures that where in place to defend against them.
These are just a few of the ways in which data can be breached by cyber criminals and potential customers of public clouds need to be aware of them.
Many companies thinking about using public cloud networks will be looking for expert help on what to look for and how to evaluate possible services. It may well be worth them visiting the National Cyber Security Centre website. This is part of Government Communications Headquarters (GCHQ) and can provide specific advice on cloud cybersecurity issues.
Continue reading more on cloud computing with: Will cloud congestion fade into the fog?