Cloud Computing, even when growing in popularity, is not without its fair share of issues. The basic issue is the risk of data loss or theft, as cloud providers move the data from the company’s in-house data center to an external facility. This risk of data-loss or data-theft could be due to many reasons.
Risks Associated with Accountability and Control
In a traditional data center model, the organization takes the responsibility for the security of its own data, and can customize the security to its liking. In the cloud, the data is stored outside the organization’s firewall, and control and accountability for data security is in the hands of the third party provider.
The third party provider may encrypt, offer one-factor or two-factor authentication, adopt network monitoring, or take any other security measure as it deems fit. From the organization’s perspective, even the most advanced security deployments to protect its own network become meaningless, as it may not apply to the third-party cloud server. Organizations needs to ensure that the security practices offered by the cloud provider remains compatible with what their data requires.
Risks Associated with Data Location
Cloud providers deploy their servers in multiple locations across the globe, to ensure redundancy and very high uptime. The selection of the datacenter locations depend primarily on cost-efficiency and convenience for the cloud provider. For the organization, such offshore locations may clash with their statutory obligations. For instance, some European nations restrict transportation of certain type of data beyond their physical borders. Businesses may face the risk of the local authority shutting down the data center for investigation, with the datacenter forced to provide access to the data to a stranger, as per local laws.There is also the very real risk of the data privacy laws of the datacenter location being different from the data protection and privacy laws of the organization’s country, and the data being compromised this way.
Businesses need to conduct due diligence on their own, and have detailed knowledge on where the cloud provider actually stores their data. It is important to partner with a transparent provider who offers such information and co-operates with the business to reduce the risks on this front.
The cloud scores over the traditional datacenters in ease of provisioning services. This however gives rise to the risks such as organizational users or departments bypassing the IT team to migrate to the cloud on their own. Such actions can place the entire organization at risk of technology lockdowns, loss of data ownerships, and restrictive contracts. It also wrecks the application of a consistent policy across the organization, and may even allow cyber attackers a loophole to infiltrate the network.
Individual customers may also not have the technical knowledge or experience to understand the nature of services provided, and may buy more than needed, negating the cost advantages of migrating to the cloud. This is an issue for the organization to solve by having a comprehensive cloud migration policy, and implementing the same.
Risks Associated with Virtual Networks
Multi-tenancy is a common feature of cloud networks, and allows the cloud provider to offer economies of scale. Cloud providers also virtualizes just about everything, from the network layer to the application layer. Virtual servers of different organizations running on the same physical hardware however increase the risk of attackers exploiting vulnerable systems not otherwise visible.
The all too common designs flaws of a multitenant cloud service could lead to a situation where a flaw in one client’s application allows attackers to access the data of all clients. Nothing prevents an attacker, having compromised an account in a host, from compromising another virtual machine on the same host. They could also attempt to gain access to all the virtual machines running on the host, by compromising the hypervisor.
Researchers from the the University of Wisconsin, University of North Carolina, and RSA Corporation have demonstrated how attackers exploit a virtual machine to use side channel timing information. This would allow the attacker to gain access to the private cryptographic keys, in use by other virtual machines hosted on a single server.
Moreover, denial of service attacks against one client would result in all clients with data hosted in the same server being afflicted.
This again, underscores the importance of entering into a partnership with a cloud provider that not only takes adequate precautions against such risks, but also remains flexible and transparent to accommodate the client’s concerns.