On the assumption that most SMBs are probably going to be at least reasonably familiar with general security issues, here is a quick guide to what you need to know about cloud services and security issues as relates to the use of public clouds.
Your staff are still your number one security risk
Robust hiring practices can go a long way towards reducing (not eliminating) the risk of hiring a genuine malicious actor, but humans are almost always the weakest point in any security system. On the plus side, recognizing this reality is the first step to addressing it.
First of all, you want to limit the opportunities for your staff to be able to make human errors. In other words, automate as many security-related processes as possible (and have human staff check alerts). Secondly, make sure your staff have relevant training and that it is refreshed as necessary. Thirdly, make sure that any security-related policies are publicized, understood and enforced, otherwise they are useless.
Consumers can have reduced visibility of their operations
One of the ironies of the public cloud is that, from a cloud service provider’s perspective, maintaining robust and effective security can mean ensuring that their specific security practices are kept confidential. Their customers (tenants) may be informed of anything which is specifically pertinent to them, but they should not expect to have full visibility of the CSP’s operating practices, especially not with regard to security.
The lack of “behind the scenes” visibility may encourage tenants to implement their own monitoring systems and this is very much recommended, but they will have to do it without using network-based tools. Fortunately, the popularity of public cloud services means that there are other tools available.
It’s very easy to install unauthorized services
This point is arguably a combination of the two previous points, but it is no important to security in the public cloud that it is worth highlighting on its own. One of the biggest selling points of the cloud is that just about anything can be done at the flick of a switch. This has all kinds of business benefits but it has also spawned an issue which has come to be known as “shadow IT”. Basically this term refers to users deciding to provision services without going through the correct channels with the result that their organization has absolutely no knowledge of them.
Not only does this open the door to malware, but it also means that the organization is exposed to security threats stemming from legitimate software which is either misused or used for an unintended purpose. Any business using the public cloud really needs to have robust processes in place to avoid this situation.
Management APIs can be Compromised
To be perfectly blunt, anything which is on the internet is vulnerable to compromise and the management APIs for cloud services make very tempting targets for cybercriminals as the potential rewards are huge, especially with the larger CSPs. Again, this is an area in which tenants are very much at the mercy of the CSPs.
On the plus side, reputable CSPs are very much aware of this issue and will go to great lengths to keep their APIs secure, which highlights the importance of undertaking due diligence on any CSP before you decide whether or not to do business with them.
Data could potentially leak between tenants
As far as we are aware, there has not been any documented real-world instance of external attackers being able to take control of a CSP’s systems in such a way that the separation controls fail and cloud tenants have their data exposed to other tenants. There have, however, been proof-of-concept exploits in this area so this has to be classed as a potential risk, albeit probably a fairly low one.
Data may not be properly deleted
This is one of the reasons why various data security compliance programs can have issues with the public cloud. When you work in an on-premises environment or a private cloud, you have full visibility of and control over the data deletion process. If necessary, you can even take out a hard drive and physically destroy it beyond all repair. In the public cloud, however, you have to rely on your CSP to delete your data properly and it may be very difficult for you to monitor this effectively.
Cloud Based Services Definition