In this final installment in our series on security issues and vulnerabilities in a variety of industries, we look at cloud service providers. While this might not be an “industry” in the same sense as financial services, healthcare, transportation and retail, it is an increasingly important area of commerce as more enterprises move applications and data into the cloud.
The list of leading cloud service providers includes some of the biggest names in the technology business, including IBM, Microsoft, Google, Amazon Web Services, SAP, Oracle, Salesforce.com and Citrix—to name a few. Some of the leading telecommunications and wireless network providers, including AT&T, Sprint, Verizon and T-Mobile, are getting increasingly involved in the market.
Organizations have been concerned about the security of cloud computing environments ever since the concept of the cloud emerged as a new model for IT services delivery.
Some say those worries have lessened somewhat as IT and security managers gain more experience with cloud offerings such as software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS), and as cloud service providers bolster their information security postures.
Service providers have claimed, in fact, that organizations can be confident that data stored in the cloud is just as secure—if not more so—than it would be if housed in many corporate data centers.
But cloud security still remains a worry for many enterprises. A global study released by communications provider BT in the fall of 2014 showed that while 79% of companies surveyed in the U.S. and 70% globally are adopting cloud storage and Web applications, their confidence around cloud security was low.
The survey showed that more than three quarters of IT decision makers (82% in the U.S. and 76% worldwide) said security was their main concern about using cloud-based services. About half of the respondents stated they were “very or extremely anxious” about the security implications of these services, up 10% from previous research in 2012.
More than half of IT decision makers in the BT study said trusting a third party is a concern, with 41% of the global respondents having the impression that all cloud services are inherently insecure and 26% saying they had experienced a data breach incident where their cloud service provider was the party at fault.
And with the cloud becoming such a dominant part of the technology landscape of so many organizations, the overall security and privacy of data in the cloud will obviously remain a high priority for technology leaders.
Public and private cloud service providers need to be diligent in how they secure their servers, storage systems and networks, to ensure that customers’ data resources are protected not only from nefarious hackers and other cyber criminals, but from other cloud service clients as well.
Clearly, the potential for breaches in the cloud environment is significant. The Cloud Security Alliance (CSA), a not-for-profit organization that promotes the use of best practices for providing security assurance within cloud computing, created a list of the “Notorious Nine” top threats to cloud computing for 2013.
Although the report is from a few years ago, these threats are still quite relevant to cloud users today: data breaches, data loss, account or service traffic hijacking, insecure interfaces and application programming interfaces, denial of service, malicious insiders, abuse of cloud services, insufficient due diligence and shared technology vulnerabilities.
To identify the top threats, CSA says it conducted a survey of industry experts to compile professional opinion on the greatest vulnerabilities within cloud computing. The list and accompanying report are aimed at both users and providers of cloud services.
The CSA has worked to create industry-wide standards for effective cloud security. It has released the “Security Guidance for Critical Areas in Cloud Computing” and the “Security as a Service Implementation Guidance” as guides for best practices to secure cloud computing. And many businesses and government organizations have already incorporated this guidance into their cloud strategies, according to the CSA.
The organization also offers the Security, Trust and Assurance Registry (STAR) Program, a comprehensive set of offerings designed to create cloud provider trust and assurance. The STAR Program is a publicly accessible registry designed to recognize the varying assurance requirements and maturity levels of providers, and cane be used by customers and providers around the world.
So, clearly efforts are underway to bolster the security of cloud services, and we can expect this to continue in light of ongoing security breaches, some of which are cloud related. But given the rising importance of the cloud to so many organizations and the constant need to update security, value-added resellers and managed services providers have an opportunity to help both cloud providers and cloud users to ensure that data and systems are protected.