Is your data safer in the cloud?

I attended the Nordic Digital Business Summit 2016 here in Helsinki a couple of weeks ago. We had a panel discussion on the topic; Is your data safer in the cloud? That’s no doubt an interesting question, so let’s recap some important issues here.

The short answer is, as for so many other questions, it depends. But let’s provide a slightly longer and more informative answer, and collect ten of the most important points.

1. Many of us, me included, are old enough to remember the age when people were very suspicious about cloud security. Internet is unsafe so putting data in the net must be unsafe. Well, we have luckily passed that phase and cloud services is a valid option, even for the security-aware.
2. Let’s face it. The cloud provider has, in most cases, better skills and more resources to run a secure environment than your own organization. Using a cloud service is an excellent opportunity to outsource your security to a competent partner.
3. Know your enemy. As in all security work, it’s of paramount importance to analyze the threats and decide what you need to protect against. Is your main concern cybercrime, intelligence agencies or losing the data? How severe would data leaks, corruption of your data or a temporary outage be?
4. Keep in mind what the cloud provider’s home country is and where your data will reside. Legislation may restrict where your data can be stored. And needless to say, it gets even more important if you are of interest to intelligence agencies.
5. Outsourcing to a cloud provider does not mean that you can relax and forget about security, even if that may be exactly what the service provider’s marketing tells you. Security is still your responsibility, but the needed skill-set is different. You need to know how to evaluate and monitor the provider’s security level, instead of how to build and operate secure systems.
6. Security must be a top issue when evaluating vendors and signing the agreement. If you don’t shop for security, and demand it in the contract, it’s pure luck if you end up with a secure system.
7. The main disadvantage is that you lose control and visibility when outsourcing your security. This means that you must trust the cloud service provider. But it should not be blind trust. So the real challenge is how to know who is trustworthy.
8. You should evaluate how the vendor documents their security measures and processes. And what their track record is. One thing I especially love to see is a well-handled security incident. We know that there are vulnerabilities in every system. A prompt, open and professional response to a vulnerability is the best proof of a vendor’s ability to keep the system safe. Some may brag about a “perfect track record” with no incidents at all. What it means in practice is that the vendor either is too incompetent to even notice breaches, or is covering something up. And a cover-up is the last thing you want if someone is stealing your data!
9. Keep in mind that the user often is the weakest link. No matter how secure your cloud is, it’s game over if the enemy can log in with a legitimate user’s credentials. I counted how many cloud services I have open on my mobile so that they can be accessed by just tapping an icon. The somewhat shocking result was 63! (That’s excluding services with two-factor-authentication and others that require a password every time.) So the security of all these services is in practice relying on how well I secure my phone.
10. Yes, login and authentication is really a weak link in most systems. Demand a two-factor-authentication system that is easy enough to work in practice, and can be enforced for all users.

Some of you may miss a comprehensive list of technical security features that one should demand from the provider. Let’s leave that for another post. Moving stuff to the cloud, and outsourcing in general, means that you deal less with technical details and more with vendor selection and monitoring at a higher level. So that’s what I wanted to focus on here.

To summarize. Don’t be afraid of the cloud. The benefits are very clear and that is no doubt where our future is. And the cloud can be more secure than your own systems. But don’t be fooled into thinking that you can forget about security just because you have outsourced it.

Micke
Security Specialist
F-Secure Labs