Storing Data in the Cloud: How Safe is It?

Businesses large and small are turning to cloud computing systems to forge leaner, more effective and efficient organizations.  Amid explosive growth in the use of Internet-connected devices, deployments of the latest in mobile broadband infrastructure and the fast emerging “Internet of Things,” (IoT) cloud computing is becoming the core of a new generation of information systems (IS) architecture.

Besides opening up a world of “Big Data” and “Always-On connectivity,” the exponential increase in the number of “things” with IP addresses opens up vast opportunities  for those looking to exploit security weaknesses in connected devices, networks and servers. That includes alleged government cyber espionage campaigns as well as an ever-growing variety of increasingly sophisticated cyber attacks on the part of cyber criminals and terrorists.

As the OpenSSL Heartbleed vulnerability and Dragonfly malware group have demonstrated, these malware and cyber threats now have the capability to exploit vulnerabilities in encryption methods and technology, and access network, server and application software to control industrial processes. They can even control critical public infrastructure, such as power, energy and water distribution systems.

Recent malware invasions and security breaches notwithstanding, the cloud computing migration appears unstoppable. According to RightScale's “2014 State of the Cloud Survey,” public cloud adoption among 1,068 organizations surveyed is nearing 90 percent. That begs the question: Are the organizations contemplating a shift to cloud IS architectures concerned about security risk? More fundamentally: Just how secure is cloud data storage?

The growing cloud

Global shipments of smart connected devices, including everything from PCs to wearable electronics and household appliances, surpassed 1 billion in 2013 and are expected to approach 1.8 billion this year, according to a forecast from IDC.

As these devices become a part of every day life, they span the divide between work and home, creating problems for corporate IT security departments. The BYOD, “Bring Your Own Device” and BYOA, “Bring Your Own Application” trends  put further pressure on IT security departments and spur another step-change in the evolution and growing use of cloud computing services.

From data storage and Software-as-a-Service (SaaS), the diversity of cloud computing services has expanded to include broader IT outsourcing options – so-called platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS).

According to RightScale's 2014 cloud technology survey, cloud computing is approaching ubiquity, with uptake fastest among enterprise-scale organizations:

• 94 percent of organizations surveyed are running applications or experimenting with infrastructure-as-a-service;


• 87 percent of organizations are using public cloud;


• 74 percent of enterprises have a hybrid cloud strategy and more than half of those are already using both public and private cloud.

Then there are consumers, who are increasingly making use of cloud services, such as Amazon Cloud Drive, Apple iCloud, Google Drive and Microsoft's SkyDrive, as well as a growing host of niche cloud services providers, such as Dropbox, SugarSync and Box, to store and access digital content from mobile, desktop, small office and home consumer electronic (CE) devices and systems.

Securing the cloud

Securing all of those electronic devices, networks, proprietary data and information from incursions by cyber spies and criminals is of paramount concern to organizations of all stripes, and it is straining the capacity of the IT resources of even the largest and most experienced. That's particularly true when it comes to those new to cloud computing or in the early stages of contemplating cloud deployment.

Besides individual end-users, organizations and cloud computing services vendors, the onus of assuring the security of the cloud falls squarely on the shoulders of IT security software and systems vendors such as Symantec.

Highlighting the seriousness of cloud security threats, Symantec recently reported on an ongoing, sophisticated, very possibly state-sponsored “cyber espionage campaign dubbed Dragonfly (aka Energetic Bear)” that managed to infiltrate information systems of “energy grid operators, major electricity generation firms, petroleum pipeline operators and energy industry industrial control system (ICS) equipment manufacturers” around the world.

Data security and protection, as well as assuring personal privacy, is inherently an issue of corporate social responsibility (CSR). As Cecily Joseph, Symantec vice president of Corporate Responsibility, told 3p: “At Symantec, we enable people and businesses to enjoy the connected world by protecting their most important assets – their memories and data.

“Symantec considers the protection of information – whether it’s in the cloud, on your mobile or desktop – central to the responsibility of corporations in this digital age. Our customers trust us with the data they capture, share and save online. Trust is at the heart of the relationships we cultivate, and the responsibility we have to our customers, partners and communities.”

One of the ways Symantec aims to assuage enterprises' cloud security concerns is a platform dubbed O3 “that provides single sign-on and enforces access control policies across web applications.” As the company explains, “O3 helps enterprises migrate to Software as a Service (SaaS) applications while ensuring that proper risk management and compliance measures are in place to protect enterprise data and follow regulations.”

More broadly, the Open Data Center Alliance (ODCA), surveying the likes of Deutsche Telekom, Disney and SAP regarding enterprise cloud computing and services, found that 66 percent of organizations are concerned about cloud security. Its market research with leading enterprises also lead ODCA to produce a suite of new enterprise white papers on cloud computing requirements and best practices, including “the first available enterprise IT perspective on security and privacy.”

Public, private and hybrid clouds

Proponents contend that making use of public cloud services and data storage solutions from leading providers enhances data and IS security. They point out that leading enterprise cloud computing and data storage service providers such as Amazon Web Services, Google, Microsoft, OpenStack and IT virtualization specialist VMWare employ the best and brightest IT security experts and devote significant portions of their huge budgets to ensuring they are using the latest threat monitoring and cloud security solutions available.

Others beg to disagree. As cloud security start-up JumpCloud co-founder Rajat Bhargava said in a recent interview:

"There's no more debate. When you don't own the network, it's open to the rest of the world, and you don't control the layers of the stack, the cloud - by definition - is more insecure than storing data on premises."

The cloud and the Internet of Things

Adding impetus to the cloud computing migration is the desire to latch on to, and capitalize on, the fast emerging “Internet of Things” (IoT).  Surveying 400 IT professionals in the U.S. and U.K. on behalf network control systems developer Infoblox, Coleman Parks Research Ltd. found that 90 percent of respondents’ enterprises are either planning or already implementing network solutions to manage the huge increase in traffic the IoT is anticipated to bring.

According to Gartner, the installed base of “things” connected to the Internet will grow nearly 30-fold, to 26 billion units, in 2020 from 0.9 billion in 2009. “Things” in this context excludes PCs, tablets and smartphones.

“Network administrators have struggled in recent years to stay on top of the ‘bring your own device’ (BYOD) trend, and the IoT will create an increase in end points that is an order of magnitude greater,” said Cricket Liu, chief infrastructure officer at Infoblox, a provider of network control software and systems.

“At the same time, many networks teams will have to respond to the IoT without significant increases in budgets or head count. Network automation will become crucial as IT departments confront this massive growth in network complexity.”

Are cloud security threats overblown?

New security threats are anticipated as IoT deployments expand. Nearly two-thirds (63 percent) of respondents to the Coleman Parks market research report believe IoT to be a threat to network security. On the other hand, 37 percent believe such concerns are overblown and amount to hype.

Cloud services are still at a stage where they are evolving rapidly, as are cyber threats. That compounds the challenge and raises the risks associated with the quest to realize new revenue streams and gains in productivity, as well as the greater flexibility and lower IT costs, cloud adoption promises.

Seen as the best means of supplementing IS security methods and tools such as multi-factor authentication (MFA), wholesale data encryption is being touted as the best means of assuring the security of data, networks and overall IS, whether it be data stored on public, private or hybrid cloud systems.

Yet, as Heartbleed and Dragonfly demonstrate, even public key infrastructure (PKI) and SSL (Secure Sockets Layer) – the core method and means of data encryption – as well as virtual private networks (VPNs), are vulnerable and under attack. Gartner forecasts that there will be a dramatic rise in the use of SSL in cyber attacks in coming years, with over half of all network attacks making use of encryption by 2017.

As occurred with previous waves of IT innovation, such as outsourcing of data processing, storage, applications and customer services to third-party providers, IT industry experts contend that greater familiarity with cloud computing and services will assuage end-users' concerns. Results from RightScale's 2014 cloud survey  bear this out. “While the benefits of the cloud increase with experience, the challenges of cloud show a sharp decrease as organizations gain expertise with cloud,” RightScale concludes.

“Security remains the most-often cited challenge among Cloud Beginners (31 percent) but decreases to the fifth most cited (13 percent) among Cloud Focused organizations. As organizations become more experienced in cloud security options and best practices, the less of a concern cloud security becomes. Concerns about cloud security declined in 2014 among both Cloud Beginners and Cloud Focused respondents.”

*Images credit: 1) Powered Backups