December 04, 2014//Tori TaylorLast Updated: February 22, 2022
By Aaron Walther
Cloud technology risks and rewards
While network security experts and consultants thoroughly debate the implications of cloud technologies, there are scores of uninterested business managers adopting cloud-based solutions at a staggering rate. The reality is that cloud-computing solutions present a very compelling business case on paper. Shifting from capital-intensive operational models to a lower cost, lower infrastructure model with greater agility and reduced complexity is very attractive. Computerworld’s 2015 Forecast predicts that cloud computing budgets are going to increase by 46%. Adoption is happening so quickly, in fact, that businesses aren’t taking the proper steps to train staff in this fundamentally new technology.
When a business implements different operational frameworks through which data moves in and out of an organization, data governance and security practices need to be heavily scrutinized beforehand. This is not happening. Managers see the economic benefits of a cloud-based product and discount its significance to network security. Computerworld’s 2015 forecast predicts a 46% uplift in IT Security spending, but surprisingly “only 20% of respondents say members of the security team are [always or most of the time] involved in the decision-making process about using certain cloud applications or platforms.” Granted, there may be some completely benign cloud applications from a security perspective, but at face value it seems clear that 20% is low. Especially with cloud-based applications like EMRs and financial systems, it is essential to involve security professionals in the evaluation phase of a cloud-based system. The burden of security is no longer with the technology providers – hackers are looking for any way in and a single crack will be exploited. Given proper time, security managers are best equipped to create protocols to safeguard the network.
Companies are treating the process of securing data on cloud-based products the same as native ones – this is a mistake. The Ponemon Institute surveyed 1,864 IT and IT security practitioners around the globe, finding that “70% agree that it is more complex to manage privacy and data protection regulations in a cloud environment than on-premise networks within [their] organizations.”
Complexity alone should not deter cloud adopters. It is the combination of executive urgency and complicated implementation that threatens to bring the next wave of data breaches. The Ponemon study also states, “only 38% of respondents say their organizations have clearly defined roles and accountability for safeguarding of confidential information in the cloud and 57% say their organizations are not proactive in managing compliance with privacy and data protection regulations in the cloud environment.” Since cloud technology isn’t going away, something needs to change.
The long-standing truth that technology is only as good as the end user, safely applies here. The problem is that training on this new terrain has been lacking across the board. A sobering finding in this study is that “only 14% of respondents say they have training targeted to the security risks created by the use of cloud applications…(56%) [of respondents] say training focuses on general security topics without specific discussion about cloud applications.” The rules of the game haven’t changed, but the field that we’re playing on certainly has. There are new land mines to look out for but now it’s easier to slip on this grass.
Speaking of new land mines, significant attention should be paid to third-party access when dealing with cloud technology. “Third parties such as contractors and business partners and employees are allowed to access sensitive data in the cloud without the appropriate security solutions in place such as multi-factor authentication.” The slew of data breaches in 2014 opened the eyes of the security community to this particular vulnerability. Many businesses currently allow third party network access with shared, single factor login credentials through a VPN or unmonitored desktop share.
Without process and training, the cloud further opens the door for hackers. At least with native systems, we currently have a consistent way of segregating networks per user (SecureLink, for one). “The inability to control how employees and third parties access and handle sensitive data in the cloud makes compliance with regulations a challenge.” Out of those surveyed, 61% responded that the cloud increases compliance risk.
It is clear that the security of cloud technology should not be measured solely after review of the product, but also by evaluating the business’ application of the product. Such a major change in operational framework necessitates a closer collaboration of IT and security professionals. If there is sensitive information being put into the cloud-based system, businesses need to ensure that they are training users on what to look out for in this new landscape. At the end of the day, the user remains the biggest security risk.