In a recent post titled Data Security Considerations in the Cloud, problems related to who a company’s cloud provider has on staff can be a cause for concern when it comes to security.
Perimeter E-Security recently published a white paper titled Top 10 Information Security Threats for 2010 that further reinforces this worry. In their top 10, cloud computing itself came in at number 9.
Malicious insiders, those with the intention of doing harm to the company they work for and its clients, was considered a rising threat and finished at number two on the list.
Additionally, careless employees and social engineering both earned steady threat status and came in at numbers four and seven respectively. Finally, the rising threat of cyber espionage came in a number ten.
Several proof-of-concept demonstrations of CA’s data loss prevention technology showed that right before an employee left a company they began e-mailing company confidential data to their private e-mail address. If this seems a bit too theatrical, consider at recent study conducted by Ponemon Institute where it was found that 59 percent of former employees admitted to stealing confidential corporate data. If more than half of the workforce is comfortable stealing data from their own employers, the data that you have entrusted them with is easily at risk as well.
While data theft is a real consideration for anyone exploring cloud computing solutions, employee carelessness is another risk that needs to be addressed. Countless reports of employees losing laptops, PDAs, or USB drives with millions of customers’ personal data have made the rounds so many times that it is almost expected. However, an even greater threat that stems from this makes the news less often. Malicious code buried in web sites, forums, blogs, and emails are responsible for a majority of the malware that is used to steal login credentials and other valuable information. Employees who blindly browse the web are often susceptible to these types of attacks that stem from their not being aware that these threats exist.
One of the biggest draws to cloud computing is that a company can focus on their business by using a managed service to handle much of their IT/data needs. Shifting the responsibility of server maintenance, security, and related staff to a third-party promises to free up more resources to concentrate on business. Unfortunately, outsourcing control of your data also means outsourcing control of the employees who have access to your data and the servers where this data is stored.
While handing over governance to the cloud provider may seem like an enormous risk, there are ways to find out if your cloud provider is taking the necessary steps to protect the data you trust them with. In 2009, the European Network and Information Security Agency published a report titled Cloud Computing Security Risk Assessment. While the report lauded the benefits of cloud computing, including some of the security benefits, it does address the threat presented by employees of the cloud provider. Their recommendations include:
The truth is, data stored in the cloud can in fact be more secure that if it were stored in-house. How secure is based on the research you are willing to do to make sure the cloud provider in question has the same expectations and concerns as you do when it comes to their employees and your business.