Are You Skeptical About The Cloud?

Uncategorized

Recent news stories like the celebrity iCloud hack have shined a light on cloud security in general, and cloud storage risks specifically…

News stories like the celebrity iCloud hack have shined a light on cloud security in general, and cloud storage risks specifically. Experts say many enterprises ‘don’t have a clue’ that corporate data could be at risk. Much like the United States justice system presumes innocence over guilt, many view the cloud as secure enough until it’s shown to be insecure. Vulnerabilities or cloud breaches are bound to happen, and when they do, they serve as reflection points where users must rethink their assumptions before deciding on the best choice in the security, cost and performance balancing act.

“Security is always a balance of risk versus reward”

There are many reasons to store data in the cloud, and users have been doing so for years and ultimately there are no really good reasons why sensitive data shouldn’t be stored in the cloud. The risks like any other risks to a business need to be managed. . Mail services are one of the early examples of data storage in the cloud. Historically, however, when these services were hacked, the attackers would typically use the compromised accounts to deliver malware, spam or both. More recently, the interest of attackers has shifted toward learning the users’ personally identified information. This leads to questions about the content of the actual data, and thoughts about where the data should reside.

The distributed nature of cloud data introduces two areas of concern to security-minded people. The first area of concern deals with the processing and handling of the data. The second area deals with the value of the data. Generally speaking, the first area receives more attention than the second; however, both areas are of equal importance. Examine the data and applications you wish to migrate to the cloud, and classify them in terms of how crucial they are to the business, how sensitive the information is, and what regulations and governance rules affect that data. Once this stage is complete, a cloud service can be selected that can support the level of security, compliance, and of course availability that is required.

Data processing and handling

Cloud processing and handling of data has users facing a basic question: Who owns the data? This problem has not been solved and appears to have no solution in the near future. Part of the problem stems from the fact that users do not always want to be responsible for their digital data, and entrusting all users to securely manage their digitally stored data would require a significant portion of the population to learn more about computer security than they are willing to undertake. Thus, the cloud is a viable option for a large portion of the user population.

Another problem is that while cloud service providers (CSPs) are quite willing to store this information, they certainly don’t want to take ownership of the data. The legal liability issues for the CSPs would be immense since the Internet is a domain of both legal and illegal commerce and the laws that govern Internet usage vary by country. Many of these issues about data ownership played out a couple of decades ago as e-commerce was introduced, however; when Internet service providers (ISPs) were in the role of today’s CSPs, the data was not as widely distributed as is the case today with some of the large CSPs.

Let’s consider how data is actually stored in the cloud. In order to achieve the high availability that defines the cloud, the major CSPs have geographically distributed data centers, with clustered server farms at each data center. Long-term storage of data at remote facilities represents an attack vector, as do the distributed data centers. These endpoints and the paths between them represent major attack vector classes for data stored in the cloud.

The security industry has spent decades attempting to secure the places where data is stored and transmitted, with mixed success. However, the nature of digital data, with multiple copies being made at various locations, begs the question: Is the data itself an attack vector? If so, this emergent vector needs guiding principles. In the meantime, if enterprises can’t secure the places where their data is stored and transmitted, they at least need to know where those places are because that will give them the opportunity to decide which data should be stored in the cloud and where it will be most secure.

Data value

One aspect of data guidance comes from a time before the existence of the cloud. The old adage, “some things do not belong on the Internet, ” is still relevant; however, with the automatic backups that we see with cloud storage services and the movement of data between personal devices and the enterprise network, this problem has grown exponentially.

In this context, the value of data deals with the utility of data. Data utility requires evaluation for the value of the content in the present, along with the potential value of that same data content in the future. A useful analogy might be to consider an old photograph taken of a subject in his younger days and showing him wearing the styles of that era. At the time the picture was taken, the image provided no offense to the subject. However, the same picture many years later might cause the subject to cringe at the fashion it displays.

Now consider that instead of an old, funny picture, business or personal data is on display. The digital nature of the data ensures that once a copy of the data is in the cloud, it will remain there forever. Data of little value to an organization today becomes a data point in the future for mining and trend analysis. As a result, enterprises need to examine how the value of current data may change in the future.

Even data that passes the “safe-to-post standard” becomes a potential big data issue where it may be mined in the present or the future and joined with other data to create new data that may actually be sensitive or more valuable. This results in the problem that even the “safe” data is no longer truly safe. Yet, migration of data to the cloud continues.

There’s also the issue of data that’s not meant for cloud storage but inadvertently ends up there. Data that crosses the boundary between work and home provides a significant opening for an attacker to gain knowledge about the organization. This is not news, of course. But less obvious data, such as forwarded e-mails, that provides insight into the projects and roles of various individuals can sometimes go unnoticed as a major risk. Project information, personnel information and organizational information are all important to keep out of the public domain, and away from the cloud.
How can enterprises prevent valuable data from moving to unauthorized cloud storage services? Architecturally speaking, the most logical choice would be to create a decontamination network for personal devices that travel between home and office. A decontamination network is a sandbox, DMZ or some other trusted zone of the network where data comes in through different sources and users but must pass through processing layers of proxies and filters in order to join the network.

The decontamination network can provide the checks through application proxies that examine for keywords during data inventory and potentially prevent data breaches similar to the celebrity iCloud hack. The determination of those keywords will depend on corporate policies. However, a serious discussion on which keywords are important to the organization must take place across all groups of the organization so data can be properly valued.

Conclusion

Take an information-led, risk-based approach and decide what data will be stored in the cloud, and what the potential consequences would be, should a data breach occur, and that data be lost, stolen or destroyed. Once you know this, the necessary legal and regulatory obligations can be considered, particularly where personal information or sensitive financial information is concerned. Another important decision to make is what type of cloud to use. Make sure you scrutinise the risk and control perspectives and choose a suitable cloud service or solution and one that has the lowest risk and where the most control can be adopted.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
gridcookie	session	This cookie is used to define the grid structure of the website.
JSESSIONID		Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
MATOMO_SESSID	session	This cookie is set by the Matomo. This cookie is set when Matomo opt-out feature is used. This is a temporary cookie, it is also called as nonce and helps prevent CSRF security issues.
PHPSESSID		This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag_UA_74960530_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
CONSENT	16 years 6 months 14 hours 29 minutes	No description
cookies.js		No description available.
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.

Browse Top Brands

Gizzu

Xiaomi

Redragon

PCBuilder

AMD

MSI

WINX

Crucial

Orico

Keychron

Romoss

Microsoft

Are You Skeptical About The Cloud?