AGIX Discussion Cyber-Security

When the Cloud is a bad thing

For those of you who follow my articles, you’d know that i’m a fan of the cloud. But more than that i’m a fan of using the right tool for the job. The decision on whether or not to use the cloud in your business should be an informed one. That’s the point of this article.

Like the adoption of any new technology, a sensible business would consider whether the adoption of cloud based services comes with acceptable risk or not. A business can determine risk easily if the IT assets are local but that all changes when the assets are made available through the cloud. The business doesn’t know the true risk when they’re denied access to those details.

For example, a cloud service offering backups could say “we secure your backups using XYZ security and have experts constantly reviewing our infrastructure and related services to ensure your data is protected” but do they really do that? And to what extent? Would they tell you if their systems were compromised?

Let’s look at each of the three pillars of IT security; Confidentiality, Integrity and Availability.

Confidentiality is where your data is limited in access to those authorised to see it. Going back to our example, we’d like to see features like “encrypt before send” and “encrypted in transit” and “encrypted in storage”. In other words, the data is encrypted before sending, sent over the Internet via a secure tunnel and finally stored on disks in an encrypted state. This means even the cloud service provider can’t access your data.

Integrity is where your data remains valid and unchanged. Again using the backup example from above, we would say the cloud service provider would have to ensure the data remains intact and unchanged. Encryption does two things, ensures the data remains private and alerts us to the fact that it might have changed. So when it comes time to restore the data, we would lean whether or not its integrity remains. But that’s too late. We need to know “before” we need to know. This is where restoration testing comes into play.

Availability is there your data is available to you when you need it. Back to our example, when the time comes to restore data from our backups, we need to know they are available. Your reasons for restoring data could be a test, to restore a single or small group of files or a complete system recovery. When and where you are when you need your backups is unknown. Cloud services “should” use the “five 9’s” rule. This means “99.999%” uptime. This is a standard that most Cloud service providers strive for.

According to “https://uptime.is/99.999”, 99.999% uptime is equivalent to 26.3 seconds per month or 5 minutes and 15.6 seconds per year.

So when is the cloud a bad thing for your business? The Cloud is not good or bad, it’s how and why you use it. If you put your backups in the cloud and can’t restore from it fast enough then it’s abad thing. If you store your data in the cloud and don’t know if it’s secure or not or where it is, it’s a bad thing. Treat the Cloud service provider as though they’re about to go out of business and you will start to think differently. For example, if you decide to put your backups in the Cloud, consider what you’d do if the resource was missing when you need it. You’d use two backup solutions; a local backup to tape or USB disk or an off-site NAS in addition to the Cloud solution.

IT Security is the responsibility of the business, not the Cloud service provider.

Finally there’s the matter of cost. We’ll continue with the example above relating to a cloud-based backup service provider. Consider that retention increases your backup storage and therefore the costs associated with the resource. The more you use it, the costs go up exponentially. The idea being that you can restore a Word document (for example) from a week ago and from last night and compare them. This suggests there were multiple copies in the cloud. The more you change documents, the more data your store and the more it costs.

Leave a Reply

Your email address will not be published. Required fields are marked *