Cloud computing is no longer a buzzword - it's mainstream. The Cloud impacts almost every aspect of people's lives, and dominates most people's online lives. With the rise of this new technology have come concerns that it might not be as secure as traditional server-based hosting. Revelations made by Edward Snowden that began in June 2013 suggested the United State's National Security Agency (or NSA) was able to penetrate the cloud servers of key cloud players (AWS, Google, etc.) did nothing to alleviate these concerns. However, a couple of years on and while the cloud has probably recovered from anything Snowden revealed, concerns about security remain.
So are US government agencies the biggest threat to Cloud security?
Curiously, the NSA, FBI, and CIA are not likely to bring your business down through breaches of security. The biggest threats to your Cloud security are much more fundamental than the chess moves of spymasters.
So what are the biggest threats?
Malicious Employees or Disgruntled Partners
By far the biggest threat to a Cloud - or any aspect of a business for that matter - is a malicious employee or a disgruntled partner. If an employee wants to do your business harm they can, and the cloud is a great place to do it. If you fall out with a partner, chances are you share access to technology. This is particularly true if a company has left a provider in charge of security. How do you protect against this? Be nice...
Should someone get access to your cloud account credentials (passwords, etc.) they have control of your data. This means they can destroy everything, or just sit there waiting and collecting data. Worse still, data can be tampered with, or your entire business can be redirected to a competitor.
Obviously, controlling access to a Cloud is key, as are strategies to ensure only the people who need specific data have access to it. Obviously, do not allow staff to give credentials to other people, and to the extent possible, add a "two-factor" solution where additional passwords are required - passwords that are changed on a daily (or even hourly) basis.
While government agencies don't represent your biggest cloud threat, hackers and ne'er-do-well IT experts with too much time on their hands and lots of things to prove to themselves do. If cloud databases aren't designed correctly, they could give a hacker an open door to your data. Encryption is key to avoiding this threat, and on a weekly basis increasingly complex encryption measures are being invented to address this issue.
The extent to which a hacker is able to target the cloud more effectively than a dedicated server that is connected to the Internet is getting debatable. But until an air-tight solution to this problem is achieved, data breaches are always going to be a possibility.
Data loss through natural disaster
While hackers could theoretically just delete your data for a bit of fun, losing your data to natural disaster is a bigger threat. When you migrate to the cloud, you are at the mercy of providers. While the cloud is supposed to be an interconnecting maze of machines that pass information to each other to keep a site online, the truth is some providers offer more of a cloud than others.
A fire, an earthquake or a flood just might hit the physical machine your data is stored on and evaporate it. Losing data causes problems with customers, but in many countries there are legal ramifications, so consider options very carefully when choosing a provider. Check a provider's backup and natural disaster recovery procedures before engaging services.
Application Programming Interfaces (APIs)
APIs are protocols for software applications that often allow two systems or devices to 'talk'to each other. They are used to monitor clouds and also allow businesses to add services to their Clouds. The more you add, the greater the risk. If APIs are insecure potentially third-parties could access data stored in a Cloud. Obviously, development short-cuts and workarounds shouldn't be tolerated. Industry-standard API development best-practice must be adopted at all times.
Denial of Service (DoS) Attacks
Denial of Service (DoS) is as much a threat to the Cloud as to traditional hosting, but as theCloud is adopted more by organizations who rely on 24/7 availability, they become more of a problem. DoS attacks stop networks by flooding them with traffic, and rendering websites unable to launch. There are a variety of types of attack, some of which exploit TCP/IP protocols, but new types of DoS attacks are being dreamt of on a daily basis. Keep ahead of curve. Look at the current thinking as far as this issue is concerned and ensure your security provider is ahead of the curve, too.
Not understanding the Cloud
A number of surveys have suggested that decisions to migrate to the Cloud are more often made by CEOs or CFOs these days. Obviously, the lure of paying for what you use is great, especially when compared to paying for capacity that you do not use. But while costs savings trickle down from these executives, insight into what the Cloud is and how it operates is the role of the IT guys. These IT guys have often spent the careers loading the company's servers with software and upgrading hardware when necessary. Their insights into the Cloud might be dangerously limited.
Ensure that any migration to the Cloud is properly managed. Ensure that the people who need it receive full training. Get everyone on board - ensure that everyone right up to the CEO understands what will be entailed to facilitate the transition. Ensure policies and procedures are in place and understood weeks, or even months, before any migration takes place. Wherever possible, set up systems that will 'dry run' how the completed Cloud will work when the migration has taken place, and train staff up beforehand.