Storing data in the cloud is now a necessity for any enterprise that wants to keep up with the latest technological advancements.
Hybrid and public cloud structures are becoming more and more common among companies and larger corporations. In fact, a whopping 72% percent of large enterprises and 53% of medium-sized ones use a cloud solution for their data storage needs, according to a 2021 survey.
Public clouds increase virtual machine deployment flexibility while staying affordable enough, even for smaller businesses, often making them a very attractive option for startups.
But that doesn’t mean they’re risk-free. And the risks public cloud migration might pose to your organization can look quite different from those of private cloud solutions. (Also read: Public Cloud vs. Private Cloud: How to Choose.)
A wise IT professional should be armed with good monitoring tools to mitigate public cloud risks and ensure consistent, high-quality performance. So, here are six risks of public cloud you should consider before jumping on-board:
1. Shared Access
Infrastructure as a service (IaaS) solutions allow data to be stored on the same hardware. By contrast, software as a service (SaaS) solutions force customers to share the same application—which means data is usually stored in shared databases.
Today, the risk of your data being accessed by another customer who shares the same tables is close to zero—at least in the case of the major cloud providers such as Microsoft or Google. However, multitenancy risks can become an issue with smaller cloud providers; and exposure must be taken into proper account.
Adequately separating customers’ virtual machines is essential to prevent any chance of a tenant inadvertently accessing another customer’s data. Additionally, one tenant’s excess traffic may hamper other users’ performance; so it is also critical to ensure a proper workflow. Most of these potential problems can be safely prevented during the configuration phase by taking the right precautions at a hypervisor level. (Also read: How to Prepare for the Next Generation of Cloud Security.)
2. Lack of Control Over Data
On the other side of the spectrum, larger cloud services such as Dropbox or Google Drive may expose enterprises to a different type of risk.
Since, with public cloud solutions, data is stored outside the company’s IT environment, privacy issues are mostly linked with the risk of sensitive data ending up in the hands of unauthorized personnel. That’s why newer cloud services frequently encourage customers to back up their data. However, privacy can be at stake when third-party file-sharing services are involved—since tighter security settings, which are normally employed to safeguard the most sensitive data, are now beyond the control of the enterprise. (Also read: US Data Protection and Privacy in 2020.)
THere are steps that can be taken though. Data loss prevention (DLP) can prevent users from transferring data outside of the business. Security policies can dictate that staff are not allowed to use File Sharing sites such as Dropbox. Cloud Access Security Brokers (CASB) can prevent users from using unauthorized SaaS services.
The most efficient way to reduce this risk is to encrypt your files within a range of 128 to 256 bits, both during the storage and the transit phases. This way, all the data moved by unknown personnel outside the company is unreadable. Make sure that these resources are protected by encryption techniques such as SSL/TLS certificates while the data is in transit and that the storage provided by the Cloud Service Provider (CSP) uses military-grade encryption such as AES-256 and FIPS 140-2 for data at rest.
3. Bring Your Own Device (BYOD) Issues
“Bring your own device” (BYOD) mobile strategies are one of cloud services’ most enticing features and have allowed companies to increase their employees’ efficiency and satisfaction with the simplest trick: By letting workers use their own smart devices (e.g., laptops, tablets and smartphones).
Up to 70% of companies ensured that employees are happier, more satisfied and can roam freely—working from home or on the go—with BYOD strategies, consequently reducing downtime and inefficiency. For obvious reasons, as smart working became the norm during the COVID-19 pandemic, BYODs became an even more necessary asset for many employees who were forced to work remotely. (Also read: Smart Data Management in a Post-Pandemic World.)
However, even if BYODs may have higher specs than those provided by the company, employees’ devices may lack security and adequate protection. What’s more, a data breach on an employee’s device can be almost impossible to contain since external devices cannot be tracked or monitored without specific tools. And, even if the employee’s device is secure, it can still be lost or end up in the wrong hands—meaning anyone outside the workplace environment can breach the company’s network with obvious consequences.
For corporate and BYOD devices, you may want to look at implementing an Mobile Device Management (MDM) policy.
4. Virtual Exploits
Some exploits only exist because of the cloud’s virtual nature, in addition to the traditional issues physical machines pose. Most consumers are not aware of these vulnerabilities and, with public cloud, they’re even less in-control of security.
Less experienced remote workers can be easily predated by malicious cyber actors. According to recent reports from the US Cybersecurity and Infrastructure Security Agency (CISA), cloud-based environments are among the most exploitable remote work-related vulnerabilities. Specifically, the report states: “favorite new targets are vulnerabilities published after 2019 and relevant to remote work, VPN (Virtual Private Network), and cloud-based technologies.” Snooping can happen even with encrypted files if data is intercepted on its route to the destination node.
For example, co-hosted virtual machines can spy on each other to a certain extent, exposing the company to critical security risks when cryptographic keys are leaked. That’s why it is important that your CSP has secure practices in place for segregation of duties for key management. Malicious attacks such as rowhammer and Flip Feng Shui can work together to store sensitive data, such as crypto keys, in locations known to be susceptible to attacks.
Using secured connections that can prevent outsiders from accessing even the cloud’s metadata is vital, as is constantly updating the security tools to address any new virtual exploit. (Also read: 10 Ways Virtualization Can Improve Security.)
5. (Lack of) Ownership
Many public cloud providers have clauses in their contracts that explicitly state a customer is not the only owner of the data, since the vendor owns the data.
Providers often keep the right to “monitor the use” of data and content shared and transmitted for legal reasons. For example, if a customer uses a cloud provider’s services for illegal purposes—such as child pornography—the cloud provider can blow the whistle and alert the authorities.
And while denouncing a hideous crime may seem a perfectly legit choice, even in such cases more than a few questions may be raised about the potential privacy risks of the data held by the provider. Data is often an asset that can be mined and researched to provide cloud vendors with more revenue opportunities. Reading the terms of service may provide you with some insight on how your data is going to be handled and if you really are the owner when it is transferred and stored. (Also read: Who Owns the Data in a Blockchain Application – and Why It Matters.)
6. Availability Risks
No service can guarantee 100% uptime.
So, other than the usual connection failures and downtime the ISP causes, there’s also a risk of losing access to your services when the cloud provider goes down. Many cloud providers have been targeted by distributed denial of service (DDoS) attacks in the last two years—and the amount of these attacks has been steadily increased over the course of 2021. (Also read: The Cyberattacks Pandemic: A Look At Cybercrime in the COVID-19 Era.)
Redundancy and fault tolerance are not under your IT team’s control anymore, which means a customer must rely on the vendor’s promise to back up its data regularly to prevent data losses. However, these contingency plans are often opaque and do not explicitly define who is responsible in case of damage or service interruptions.
A company wanting to move its data to a public cloud or hybrid cloud solution must know beforehand if the provider offers disaster recovery plans and disaster recovery and/or failover commitment. It’s especially important to be cautious of smaller cloud vendors who do not possess enough data centers, as they may resort to third-party companies with whom you have no contract with. Also, the agreement must provide a clear definition of who can be held liable when an interruption of service occurs. (Also read: How to Build Network Architecture That Facilitates Better IT Security.)
Know the Risks
Public cloud storage services can offer great value to enterprises and usually do a much better job securing data than an enterprise can on its own.
However, any smart business owner must know the risks this solution might present and what measures they can take to mitigate these risks, besides what the vendor alone provides. Security always has been a concern when adopting new technologies. However, with the advent of cloud computing, organizations must take extra precautions to protect sensitive information stored online.