Reducing Your Risk: Cloud Computing

What is the cloud?

In the tech world, you may hear the phrase "the cloud" quite often. But what is the cloud? Cloud computing refers to a network of servers that act as storage or processing power and are accessed through the Internet, rather than as local resources. Use of cloud resources can be beneficial in a variety of ways. Not only does it allow users to access their data or software from wherever they are, but it can also be cost effective. Cloud computing may refer to several types of services, which are often seen with an 'aaS' extension (for 'as-a-service'). The 'as-a-service' industry has grown significantly in the last few years, expanding to include things such as RaaS (Robots-as-a-Service). However when talking about cloud computing, there are three primary cloud computing solutions: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS).

Infrastructure-as-a-Service is a form of cloud computing that offers virtualized computing resources over the Internet. Examples include Amazon Web Services (AWS), Microsoft Azure, and Google Compute Engine (GCE).
Platform-as-a-Service is a form of cloud computing that offers virtualized platform environments for efficient application development and deployment. Examples include Google App Engine and Apprenda.
Software-as-a-Service is a subscription-based model for licensing and delivering software. Usually the software applications will be accessed through a web browser. Salesforce.com, Microsoft Office 365, and Dropbox are all examples of Software-as-a-Service.

Cloud computing comes with both benefits and risks, so do your homework before moving to the cloud.

Why are some companies moving to the cloud?

Companies know that growth and development come with a cost. Cloud computing may be one solution to add resources or software capabilities at a cost-efficient price point. Not only can cloud computing be an efficient way to cut down on resource expenditures, the accessible nature of cloud hosting is ideal for businesses whose employees work from remote locations. As the cloud model dictates that the resources being purchased are hosted on the Internet, they can be accessed from anywhere in the world.

Pros and cons of using cloud solutions

With all the advantages of cloud solutions, there are also some potential disadvantages to hosting data on the Internet. Potential benefits include:

Cost-effective software solutions
Remote access to the software or data - anytime, anywhere
Quick and easy scalability - both up and down - as your needs change
Less overhead in terms of infrastructure cost and maintenance

There are also some risks to cloud hosting:

Access to data, software, and resources is dependent on the user's Internet connection and the reliability of the cloud provider. If the provider experiences an outage, users cannot access their data and services.
Cloud hosting may offer limited control over the functionality and customization of the services purchased. With local machines and locally-hosted software solutions, companies may utilize customization options that may not be available with a cloud-hosting solution.
Cloud computing leans towards a subscription/per-use pricing model. In some cases, this may be costlier over the long-term than the initial costs involved in setting up an alternative infrastructure.
Security and privacy are major cloud-computing concerns.

Questions to ask when vetting cloud service providers

Cloud storage can be a convenient, cost effective way to ensure that your company has access to the resources that it needs, from anywhere in the world. However when your information is located on another organization's servers, it's necessary to verify that you are not opening yourself up to a potential attack or data breach. When vetting third-party cloud providers, it is important to ask questions and consider multiple options.

Here are some questions to ask before purchasing a service from a cloud provider.

Before committing to a third-party provider, ensure that the provider is reputable and reliable. Consider whether the cloud-hosting solution was designed for business use. For example, Dropbox, a popular file-hosting service, offers free personal accounts, but the free accounts don't have the necessary controls that a business environment requires.
It's important to ensure that the transition from local storage to a cloud solution will not be cumbersome and painful. Does the provider allow for bulk transfers of data, or will everything need to be uploaded manually? Are there any data formats they don't support? Are there file size limits to be aware of? It is important to fully understand requirements or limitations on file transfers before making a purchase.
A precedent has been set by Google, Office 365, and Amazon Web Services that, yes, you do own your data when it's in their cloud. However, it is of paramount importance to ensure that there is explicit language in your contract with a cloud provider affirming that you will still own your data once it is located in the provider's cloud.
If you cancel your service for any reason, would you be able to easily transfer your data back onto your own systems? Would you be able to transfer it to another cloud-hosting service? How would this be accomplished? After you have canceled your service, how will they dispose of your data? Will it be wiped properly?
Before purchasing services from a cloud provider, you need to verify whether or not they can access or share your data with others. If the provider is able to access your data, inquire who, specifically, might have access. Is access limited to system administrators, or can any of their employees access your data? Do they mine your data and share with potential advertisers? Are employees under a non-disclosure agreement? Ensure your contract includes clear restrictions for the provider, regarding the sharing of your data with any other parties.
Who will be in charge of managing users and data? Do you want to have control, or would you prefer to have assistance from your cloud provider in order to free up time for other tasks? If there are tasks specific to your organization that require administrative access, will you be able to complete those as needed, or will you have to wait for service from a representative at your cloud provider?
When comparing costs, keep in mind both scalability and long-term solutions. Cloud services are often low-cost for short-term solutions, but since you are 'renting' rather than 'purchasing,' it may be more cost-efficient to implement other types of infrastructure.
Logging is imperative when it comes to the security and integrity of your data. Does the cloud provider support a feature that will allow you to accomplish the necessary logging required by your company's needs? If not, do they support the use of outside logging solutions?
Do you have other software that will need to integrate with your cloud solutions? Perhaps in the future, you will want to export data in a specific format in order to import into another system. It's worth looking into whether or not the cloud provider may already support sharing data with other software and systems.
While you are copying your data back and forth from your PC to the cloud service, is the data encrypted? While your data is sitting on the cloud provider's servers, is it encrypted? If so, are you the only one in possession of the private encryption key, or does the provider have access as well? What is the encryption process? If an attacker were to gain access to the cloud provider's infrastructure, would your data be at the mercy of a malicious agent?
If a cloud provider does not provide security testing results or, at the very least, a letter of attestation; you may want to look elsewhere. Inquire specifically about regular security testing and what types of vulnerabilities the cloud provider has identified in the past. Ask whether or not those vulnerabilities were addressed.
Does the cloud provider offer multiple layers of protection - logging, two-factor authentication, virtual patching, firewalls, and role-based access? Considering the rise in ransomware attacks and how quickly ransomware can spread through a network - highlighted by WannaCry and Petya - it is especially important to know whether or not your data is properly segregated and protected from other organizations. If it is not, your data may be exposed to compromise.

For example - without proper segmentation, your data could be encrypted if an organization sharing server space with your data is hit with ransomware. Outside of weighing your options on a cloud provider, always have offsite, air-gapped backups - not connected to the cloud - ready to be used in the event of a ransomware attack.
It's important to know who is going to have access to the facilities where your data is stored, in case that may serve as an attack vector. How easy would it be for a malicious actor to gain access to those facilities through legitimate means?
Are there any laws or regulations regarding data access/ownership/usage that may present an issue to your organization? For examples, is the cloud provider obligated by the country's laws to notify your organization in the event of a data incident? Often, cloud servers are physically located in countries that may have different regulations and requirements when it comes to security. Find out how this affects your company
If a user accidentally deletes a file or multiple files, does your cloud provider have the ability to recover the data? If so, do you have the ability to recover the data, or will you need to rely on the provider? What is their typical response time?
If something happens to your data, what standing will your organization have legally? Ensuring that you read the fine print and verify what accountability is in place for your potential cloud providers will leave you in a better position in the event something unfortunate happens to your data.
What notification is your cloud provider required to provide in the event of an incident and in what timeframe? What is your cloud provider's role in your incident response plan (IRP), and how can they support your IR team? Will they be able to provide you with information and evidence your IR team may need when an incident occurs?

Compliance

If your company is required to adhere to a standard of compliance, your cloud provider must also adhere to that standard to ensure compliance. For example - if your organization is required to operate under HIPAA, inquire as to whether or not the cloud provider is willing to sign a business associate agreement (BAA). A BAA ensures that a third-party will protect electronic protected health information (ePHI) according to the HIPAA guidelines.

Tracking Data in the Cloud

Some information may not be appropriate for cloud storage, regardless of the cloud provider's security. It is important to identify and classify sensitive information, prior to moving your data to the cloud. Gauge what type of risks your organization faces. After choosing a cloud provider, update your information classification policy, and ensure that users understand what information is authorized for cloud storage. Consider using tools to search cloud storage for personally identifiable information (PII) in order to ensure that sensitive data isn't being stored in an unauthorized location.

Additional precautions include tracking uploads, downloads, modification times, access times, deletions, and other changes that occur within the cloud. This will require enabling logs on the cloud storage solution. The specifics of enabling logs will vary, depending on the cloud provider; but many logging tools can also be utilized. Keep in mind that these logs should be stored in a secure location. Implement minimal and restrictive access to individuals involved in the cloud-hosting environment, and make sure to utilize multi-factor authentication.

If your cloud provider does not have integrated logging, you may need to contract an external source to assist in maintaining useful logs. Solutions like Datadog and LogDNA may assist your company in ensuring that their logging process is thorough and reliable.

Reducing Your Risk: Cloud Computing

What is the cloud?

Why are some companies moving to the cloud?

Pros and cons of using cloud solutions

Questions to ask when vetting cloud service providers

Is the provider reputable and designed for business use?

How will your data transfer to this system?

Do you still own your data when it's in their cloud?

If you leave the cloud service can you get your data back and ensure that it's disposed of properly?

Can the cloud provider access or share your data?

Who manages the service? Will you have administrative access?

How much does it cost, and how does that compare to current expenditures?

Does the service support the company's logging requirements?

What type of integration does it have with other software in use?

Is the data encrypted both at rest and in transit? Who holds the private encryption key?

Does the provider undergo regular security testing, and are those results available to clients?

Is organization's data segregated from other companies? Is your data safe if another organization is attacked?

Does the provider do background checks on all employees with access to facilities where your data is stored?

Where is your data being physically stored? Is it in a country whose laws apply to your organization?

Does the provider backup your data, and can you restore from those backups?

Who is liable in case of an accident, and what kind of accountability is in place for the cloud provider?

If a data security incident occurs, what is the procedure for accessing data (incident response)?

Compliance

Tracking Data in the Cloud

References

Contact us

FOR BROKERS

For Customers