For the past five months, this column has examined the top threats in 2019, according to the 2019 Cyber Threatscape Report, including geopolitical actors, evolving cybercriminals, ransomware, supply chain threats, and supply chain vulnerabilities. This month, we are focusing on the final threat from the report, cloud vulnerabilities.
Before exploring the cloud vulnerabilities, let us recap the five threat areas. Accenture Security 2019 Cyber Threatscape Report examined the top five threats faced by businesses and organizations. The listed threats were:
1. Compromising geopolitics: new threats emerge from disinformation and technology evolution.
2. Cybercriminals adapt, hustle, diversify and are looking more like states.
3. Hybrid motives pose new dangers in ransomware defense and response.
4. Improved ecosystem hygiene is pushing threats to the supply chain, turning friends into frenemies.
5. Life meltdown: vulnerabilities in computer cloud infrastructure demand costly solutions.
For those asking the initial question, what is the cloud? The “cloud” typically refers to the internet. Could computing open the word to the broader internet computing? Companies who outsource things to the cloud are outsourcing to companies that utilize the distributed nature of the internet and geographically dispersed servers to provide services quickly and reliably while storing the data safely in a redundant manner.
With the number of services moving to the cloud, it is as vital as ever to understand the cloud. According to Forbes, more than 80 percent of workloads previously on the local enterprise network. Instead of hosting local accounting, email, or web servers on their local systems, organizations are moving them to the cloud.
Moving services to the cloud can improve reliability, speed, and redundancy of the services. However, when you move services to the cloud, you are also trusting the cloud service provider to store and back up your data as well as provide services for your company and customers securely.
While I am an advocate for moving services to the cloud, any business should consider the entire security picture before moving their services to the cloud. There are several risks and threats associated with cloud technologies.
One, by utilizing the cloud, you are storing your company’s data, and your customer’s data is being housed off of your company’s network and held by a third party. You are trusting that the third party company is taking the appropriate measures to protect your data. You agree to store your confidential data on a remote server(s) with perhaps 1000s of other small businesses.
For many small businesses, the cloud providers can store the data more securely than your small business. The cloud providers are probably more likely to keep your confidential data confidential than you are.
Cloud providers are a more significant target from hackers than a small business. Hackers are looking for a substantial return on investment, just like other, more reputable organizations. By targeting a cloud provider, a hacker could target 1000s of businesses at once.
Cloud service providers understand this threat and are likely taking steps to ensure that your data is being protected. Consider all of the threats that you're facing with your organization. Cloud providers face the same threats but are bigger targets.
When moving to the cloud, your organization is still responsible for your data. You will be responsible for maintaining compliance with any required regulations, like HIPAA relating to health information or FERPA for student records. It would be best if you asked questions. While there are dozens of items that you could ask about, the list below is a starting point.
1. Who will hold ownership of your data? Ensure that your company will retain ownership of the data that you host in the cloud.
2. Where will the data be housed? If you are required to maintain the data in the United States, then make sure it is in your service contract.
3. Who is allowed access to your data? Providers should have policies in place on who can and cannot access your data.
4. What insurance levels exist at the cloud provider, and what is the coverage for your data? Their insurance may include theft and damage coverage impacting your business as well, but it should not be assumed.
5. How is your data being protected? Perhaps, the most critical question to ask is what is the cloud provider doing to protect your data from the threats.
As an organization moves aspects of its operation to the cloud, these questions and their answers should be used to guide your company’s decision when moving to the cloud. As with any contract, it should be said to get the answers and requirements in the contract, along with contractual impacts for missing the service levels listed.
As this concludes the series on the top five threats of 2019, there are a few overarching things to consider. Cyber threats are real and evolving. The threats are only going to grow. That doesn’t mean you should refrain from utilizing technology. It can be a positive impact on your business. It does mean that you should protect yourself and conduct your business securely.
Michael Ramage is the director of the Center for Computer and Information Technology at Murray State University. The center researches various areas of computer and information technology as well as serving as a liaison between the academic and private sectors to increase the technology workforce. Reach him at firstname.lastname@example.org or 270-809-3987 for questions or more information.