As more and more Software as a Service (S-a-a-S) solutions become available on the market, with prices coming down due to competition and the big players trying to get as high a market share as possible, the financial aspect of the decision to adopt the cloud is no longer an issue. Instead, security concerns still deter high numbers of potential customers from taking the decision to switch.
We should take a look at what security involves in the first place. In its simplest form, information security is about confidentiality. As long as the data is only accessible to the people they were intended to be accessed by, we can say that this is confidential.
There are three main aspects of this. One is access isolation between the organization’s employees: some users should be able to access some data; others must not. From this point of view, there are minimal differences between a traditional, on-premises solution and an in-the-cloud one. As long as access is configured correctly, there should be no differences.
Then there are potential data breaches from outside of the organization, from third parties. The cloud seems to have a weakness, since the cloud provider supposedly has access to customers’ data. Some cloud providers manage this by decomposing data structures so that the system administrators that operate the datacenter cannot identify a specific customer’s data; they only see chunks of data from all customers mixed together. Other cloud providers prefer to keep encryption keys only on customers’ devices, so they are unable to access customer data kept in their datacenters. As long as the encryption protocol is trusted, there is no way the provider can see the actual data. On the other hand, leveraging economies of scale, cloud providers can employ both the latest technologies in terms of security and the best security specialists, while for individual organizations this can become overkill.
Then there is availability. Users that have been granted the right to access data must be able to do so whenever they need to. The cloud seems to introduce a weak point by requiring internet access from the organization’s premises in order to access data, while on-premises solutions are local and only need a local area connection. But in today’s world when organizations are flexible in allowing or requiring employees to be mobile, having data on the premises is more of a burden than an advantage. In order to provide reliable access from anywhere via the internet to on-premises data, an organization needs expensive redundant incoming connections to the internet. While accessing data in the cloud from inside the organization also requires a redundant connection to the internet, this is an outgoing redundant connection which is much, much easier and cheaper to get. Also, cloud providers can employ latest technologies in data resiliency and availability in order to provide minimal downtimes for access to data, which can have burdensome costs for smaller organizations.
The third aspect of data security is integrity. Organizations need to be sure that data are not modified at all by unauthorized parties or modified in undetected ways by authorized parties. The advantage of on-premises solutions is that often data are not required to be in transit over the internet and that fewer people have access to back-end servers. On the other side, cloud providers can afford to implement more advanced tools that can provide integrity and authenticity for data. As an added benefit, providers that employ data encryption with keys stored only on their customers’ devices, automatically provide data integrity for both storage and in transit.
One important factor contributing to the security of data stored in the cloud is that cloud solutions are especially attractive to attackers because of the impressive amount of data that can be exposed once a successful breach takes place. Although cloud providers should theoretically be able to afford to employ the most advanced security mechanisms, hackers use targeted attack techniques, which are harder to counteract.
Now taking a quick look at how attackers can compromise data security, we have identity theft, denial of service, redirected attacks and data loss as the most frequent.
Identity theft is the type of attack that interests us most from the perspective of cloud versus on premises and if you read technology news you cannot miss it. Two main categories are the most prevalent: phishing attacks that try to steal login credentials directly from users and database injection attacks that get the credentials from the backend of the application. Either way, while banks and other large organizations used to implement two-factor authentication by use of dedicated hardware tokens, cloud providers are moving to a new generation of two-factor authentication by leveraging the hardware that is omnipresent nowadays – the mobile phone, either dumb (by SMS) or smart (using apps).
Neither one is perfect from a security standpoint. For example, phishing attacks are harder but can still be successful with two-factor authentication mechanisms.
Although not necessarily part of the basic definition of data security, there is one other aspect that determines how captive an organization becomes in a provider’s cloud. It’s usual practice for providers to make it difficult for a customer to take their data and just switch providers. Some of them offer at least a means through which a customer can download all data and access them offline with reduced functionality. Third parties have also emerged that allow for data backup from supported cloud providers and data migration between the largest ones.
To counteract data security concerns, there are also technologies that allow for data synchronization between an organization’s devices (peer-to-peer), with or without central storage and most important without storage on a third party’s datacenters as in the case of cloud providers. In terms of architecture, they are to cloud providers as Bitcoin is to traditional banking systems.
There is definitely no one size fits all in terms of architectures for storing and transmitting data securely. Fair technology consultants expose all data security implications of current solutions so that each customer can choose the most appropriate one based on their needs. What is certain is that in the pursuit of 100 percent security, the cloud brings cost-effective, scalable and secure enterprise software solutions into the hands of organizations of all sizes, from two to tens of thousands of employees without the big initial investment. Advanced software solutions with advanced security mechanisms are available from day one to organizations that choose to embrace the cloud.
About the author: Alexandru Molodoi (firstname.lastname@example.org) is Chief Technology Officer at Idea City. He has been ISO 27001 information security auditor since 2008. Aside from assessing website security for individual websites, he has conducted two aggregate evaluations of web security for websites and web applications in Romania (2008 and 2014).