Storing data in the cloud is now a necessity for any enterprise that wants to keep up with the latest technological advancements, but it is not without risks. Hybrid or just plain public cloud structures are becoming more and more common among companies and larger corporations as well. According to recent surveys, in 2016, a whopping 68% of enterprises either used or were thinking about using a hybrid cloud solution for their data storage needs.
Public clouds increase the flexibility of virtual machine deployments while staying affordable enough even for smaller businesses, and are often a very attractive alternative for startups. However, they’re not devoid of risks and drawbacks that come with their rather unique nature and are often quite different from the traditional risks of private cloud solutions. A wise IT professional should be armed with good monitoring tools to mitigate these risks and ensure consistent, high-quality performance.
Infrastructure as a service (IaaS) solutions allow data to be stored on the same hardware, while software as a service (SaaS) solutions force customers to share the same application, which means that data is usually stored in shared databases. Today, the risk of data being accessed by another customer who shares the same tables is close to zero in the case of the major cloud providers such as Microsoft or Google. However, multitenancy risks can become an issue with smaller cloud providers, and exposure must be taken into proper account.
An adequate separation of customers' virtual machines must be established to prevent any chance of a tenant inadvertently accessing another customer's data. Additionally, one tenant’s excess traffic may hamper the performance of other users, so it is also critical to ensure a proper workflow. Most of these potential problems can be safely prevented during the configuration phase by taking the right precautions at a hypervisor level.
Lack of Control Over Data
On the other side of the spectrum, larger cloud services such as Dropbox or Google Drive may expose enterprises to a different type of risk. Since data is now outside of the company’s IT environment, privacy issues are mostly linked with the risk of sensitive data ending up in the hands of unauthorized personnel. Newer cloud services encourage customers to frequently back up their data in real time. However, privacy can be at stake when third-party file-sharing services are involved since tighter security settings that are normally employed to safeguard the most sensitive data are now beyond the control of the enterprise.
The most efficient way to reduce this risk is to encrypt your files within a range of 128 to 256 bits, both during the storage and the transit phases. This way, all the data that is moved by unknown personnel outside the company cannot be viewed anymore.
Bring Your Own Device (BYOD) Issues
"Bring your own device" (BYOD) mobile strategies are one of the most enticing features of cloud services that have allowed companies to increase their employees’ efficiency and satisfaction with the simplest trick. By letting workers use their own smart devices (laptops, tablets and smartphones), up to 70 percent of companies ensured that employees are happier, more satisfied and can even roam freely, and can work from home or on the go, reducing downtime and inefficiency.
However, even if BYODs may have higher specs than those provided by the company, employees’ devices may be lacking security and adequate protection. A data breach on an employee's device can be almost impossible to contain, since external devices cannot be tracked or monitored without specific tools. And even if the device is secure, it can still be lost or end up in the wrong hands, meaning that anyone outside the safety of the workplace environment can breach the company’s network with obvious consequences.
Some exploits only exist because of the virtual nature of the cloud, in addition to the traditional issues posed by physical machines. Most consumers are not aware of these vulnerabilities, and with public cloud, they’re even less in control of security. Snooping can happen even with encrypted files if data is intercepted on its route to the destination node.
For example, co-hosted VMs can spy on each other to a certain extent, exposing the company to critical security risks when cryptographic keys are leaked. Malicious attacks such as rowhammer and Flip Feng Shui can work together to store sensitive data such as crypto keys in locations known to be susceptible to attacks. Using secured connections that can prevent outsiders from accessing even the cloud’s metadata is vital, as well as constantly updating the security tools to address any new virtual exploit. (To learn more about vulnerabilities like this, see Should You Worry About Rowhammer?)
Many public cloud providers have clauses in their contracts that explicitly state that a customer is not the only owner of the data since the data stored is owned by the vendor. Providers often keep the right to “monitor the use” of data and content shared and transmitted for legal reasons. If the customer uses their services for illegal purposes such as child pornography, the cloud vendor can blow the whistle and alert the authorities.
And while denouncing a hideous crime may seem a perfectly legit choice, more than a few questions may be raised about the potential privacy risks of the data held by the provider. Data is often an asset that could be mined and researched to provide cloud vendors with more revenue opportunities. Reading the terms of service may provide you with some insight on how your data is going to be handled and if you really are the owner when it is transferred and stored.
No service can guarantee 100% uptime. So other than the usual connection failures and downtime caused by the ISP, there’s also a risk of losing access to your services when the cloud provider goes down. Redundancy and fault tolerance are not under your IT team’s control anymore, meaning that a customer must rely on the vendor’s promise to back up his data regularly to prevent data losses. However, these contingency plans are often opaque and do not explicitly define who is responsible in case of damage or service interruptions.
A company who wants to move its data to a public cloud or hybrid cloud solution, must know beforehand if the provider offers disaster recovery plans and DR/failover commitment. Smaller cloud vendors who do not possess enough data centers may resort to using third-party companies with whom you have no contract with. Also, the agreement must provide a clear definition of who can be held liable when an interruption of service occurs. (For more on this, see The Big Challenges Facing Data Recovery.)
Public cloud storage services can offer great value to enterprises and usually do a much better job securing data than an enterprise on its own. However, any smart business owner must know which risks may be faced by choosing this solution, and what measures could be taken to mitigate them other than what the vendor alone could provide.