alphaspirit - Fotolia


Identify potential cloud security breaches

With the increasing popularity of the cloud over traditional data centers, it's important to be aware of some of the potential risks of cloud computing.

For many years, IT has focused on leaving behind the common troubles with data centers in favor of moving to the cloud. In an ideal world, this would put an end to days of outages, staff shortages and on-call rotations. Peace would be restored and IT would be hailed as a hero. Alas, we do not live in an ideal world. The reality of the cloud is often very different than the perception. The cloud is not a magical solution to data center woes -- it comes with its own set of setbacks that are often overlooked. The key to avoiding these issues is to have a clear understanding of what the cloud is, how it operates and the potential risks of using it.

Cloud security breaches and the SLA

One of the foundational elements of the cloud is its availability based on the cloud service provider you select. This is often referred to as the service-level agreement (SLA). The SLA is an agreement of uptime for your cloud environment, which can range from 99% to 99.99% uptime and higher, depending on the amount you are willing to pay for it. An SLA is not a guarantee of what your availability will be, but rather an agreement that if the availability goes below the agreed level, a fine may be imposed on the provider. Before readers get too excited, these fines are usually determined by the cloud provider and are often a percentage of your monthly expense, which are returned in the form of an account credit. This credit can be a very small sum when compared to the amount a service outage can cost a company. Unfortunately, there is very little customers can do to address this, as these terms are clearly spelled out in the lengthy agreement that customers consent to when they sign up for such services.  

However, there is hope: Agreeing to the terms does not mean that customers do not have options.  Most companies with critical systems and external data use multiple data carriers for that external traffic in the event of a failure.  So why can't customers use multiple cloud vendors in the event one fails? 

Splitting loads between cloud vendors increases complexity, cost and effort, but these drawbacks are generally preferable, compared to the cost of an extended business outage. Additionally, if customers are looking at multiple cloud vendors, they should be sure that they are not a subset of the same parent cloud -- i.e., resellers selling Amazon Web Services or Rackspace. 

Cloud-based security and data loss

Another major concern is data loss or theft, which has become a critical topic for anyone in business or IT today. In the past, large and well-known cloud security breaches cost companies millions of dollars, with no end in sight. Today, the number of cloud security breaches is relatively small. However, as more companies look to move critical and sensitive data to the cloud, providers will become a more attractive target. Most cloud vendors don't support native encryption, and it is only built in to some applications. What's worse is that many encryption products available today focus on the link from the user to the cloud and cannot address security within the provider's infrastructure. What types of security exist for the back end? What about monitoring, intrusion detection and the people who take care of it all? Customers are unlikely to see answers to such questions, as releasing that level of sensitive information to the public would jeopardize the security of the cloud provider. As a result, this can lead to a dilemma regarding sensitive data that exists outside the customer's control.

Therein lies the root of the problem: It's about customers putting control of their data into unfamiliar hands. In the event of a cloud security breach, customers cannot simply pass the blame onto their cloud vendor. The onus falls on the customer for placing too much trust in the provider. Luckily, some security vendors offer additional tools and services that work with the cloud vendor's API. This does not take the burden off the cloud providers, but rather adds an extra layer of security for customers. Though this is certainly better than relying solely on the provider, it still might not be enough. After all, the infrastructure and personnel reside with a different company. 

The first step to resolving these issues is to work with a cloud vendor that embraces the ability to look at and work with tools that extend security beyond what they provide. While this will not solve every problem, it does add protection for companies moving sensitive data beyond the walls of their data center. Although moving to the cloud poses certain security risks, its benefits far outweigh its disadvantages so long as businesses approach it with an informed mind.

Next Steps

Three hurdles to cloud data portability

A look at why the cloud is more secure than traditional IT systems

Finding the right SLA based on uptime guarantees and data availability

Governance, tools and providers for your cloud security strategy

Dig Deeper on Server virtualization risks and monitoring