The Inherent Risks of Cloud Security – Out of Sight and Out of Mind?
Cloud security expert advice
Joe Granneman is a computer security specialist who helps the FBI with security issues — in addition to his day job! Joe is also an author, speaker, a CIO of a Chicago health care organization, and a cloud security expert. We’ve picked some excellent excerpts from his address to share with you.
There is so much hype about moving services to the cloud. At every turn, businesses are confronted with promises that sound too good to be true. The articles and advertisements that draw businesses in with promises of cost savings and infrastructure on demand are impossible to ignore. There are many competent, capable and secure cloud services providers available. However, the profitability of these cloud service providers has drawn others into the business that may not have your best interests at heart. Even the best cloud service providers have the occasional security issue. The cloud computing model has very different risks than the traditional client-server model. How do you know what the risks are for your data and your business?
Why is cloud computing getting so much hype? Joe lists these reasons:
- Focus on core business
- Self provisioning
- Utility pricing
- Resource elasticity
- No capital expenditure
And the risks Joe identifies:
- Data segregation
- Privacy and access control
- Disaster recovery
- Audit and investigation
- Long-term viability
- Intellectual property
- Shared attack surface
Joe then shared some jaw-dropping examples of major, recognizable institutions caught in “compromising” situations. Of the security type, we mean. For example, saleforce.com got hacked through a phishing attack and 900,000 customer records were breached. Google Groups advised users to migrate to another product if you used a welcome message, pages or files — because you would no longer have access or creation/editing rights TO YOUR OWN DATA!
Even Facebook has an IP clause that reads, “you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post.”
The move to cloud computing can be successful if a business uses a thorough due diligence process to discover the risks and verify the vendor claims. Business can make informed decisions about which services belong in the cloud armed with the knowledge of these risks.
Can the risks of cloud services be mitigated?
- Business professionals should not fear cloud services
- They present different risks than traditional services but it is still information security
- Some services may be too risky or burdened in compliance to move the cloud
- Information technology should add value in the vetting of potential cloud service providers
Joe also recommends doing thorough due diligence with a procedure to define the process for a acquiring and utilizing cloud services; he recommends developing a Risk Assessment framework, and require the cloud service provider to comply with security specifications with audit documentation. Do a thorough review of financial position of the provider. Also, the cloud provider’s architecture, network diagrams, physical security, network security, host security, web security, cryptography and data ownership should all be assessed. And lastly, he stressed that cloud services require more legal and compliance knowledge than in more traditional computing models.
And one more thing – make sure ANY password you use is more than seven characters and is a non-English word (don’t use any kind of recognizable nouns or verbs.) Hackers can crack a password like that in six seconds or less!
Ready to move?
Our hosting partner, Swizznet, assures that they have 99.95% network uptime, with “anti-ransomware, cutting-edge technology to secure your cloud hosted accounting service data.” Soon, LAI will be totally on the Swizznet cloud. This is a reputable, trustworthy company which Tony Merry fully vetted before bringing to LAI and Sage — read about it HERE. If you want to learn more, click the button below.