Is the Cloud a Safe Place for my Company Data?

February 5, 2013 by Staff Writer

Over the last year momentum towards the cloud has become unstoppable. The promise of cost-effective services and data storage has proven too appealing to organizations and enterprises looking to make every IT dollar count. But alongside a recognition of the potential benefits of the cloud, there has been a realization that adopting the cloud means putting your faith in a third-party to keep your precious data safe and sound. But is the cloud really a safe place for your company's data?

The answer to this question depends on emphasis. Even prior to the Internet people would often freely exchange data entrusting third-parties like utility companies with sensitive information, often barely considering what potential harm this might do. Credit card companies and banks existed before the Internet, and submitting your details to either meant that information about you and your company might often be shared by post or fax. Bearing in mind that both types of organization conduct international business, this means your information was probably shared on an international basis.

The advent of the Internet stoked fears that data stored or transmitted through 'cyberspace' could get into the wrong hands. But as with the post and fax, the Internet was simply another means of moving information around the globe more efficiently. Internet regulation has meant the development and adoption of solutions that safeguard data. To the extent that the cloud is merely another means of delivering the Internet, the cloud should be equally as secure as the Internet has become. However, with that in mind, we can also assume that issues that impact the Internet - hacking for instance - are equally as likely to occur in the cloud.

Whereas the Internet has grown up and is heading towards adulthood, the cloud is still merely a toddler, and challenges do exist. A study by Symantec released in January 2013 suggested that of the 3,200 organizations surveyed, 43% of those questioned claimed to have lost data in the cloud and had to restore data from backups - a process that, for a variety of reasons, does not always succeed. Perhaps one reason for this is the nature of the cloud itself and the reasons for being there in the first place.

The cloud has been driven by cost-sensitive smaller organizations with limited budgets. Unlike traditional providers, cloud providers haven't been driven towards comprehensive customer service. If you delete the wrong folder, or misplace a file in the cloud, who do you call? As public clouds entice more and more enterprise-level customers, customer service is bound to improve, but generally, it isn't there yet.

Although the level of data lost in the cloud is minuscule in comparison to amount stored, that is of little comfort to the people whose data has been lost. And there are occasions when data loss is substantially more than the odd lost folder. The Amazon EC2 cloud services failure of 2011 was reported to have permanently destroyed data that was supposed to be backed up in another location and therefore secure, and the response from the company was an apology and access to server snapshots that were possibly corrupted. Faulty cloud backup was one prominent issue indicated by the Symantec study mentioned earlier.

Alongside the promise of the cloud, there are then issues that need addressing.

How do you Safeguard your Data in the Cloud?
Of course, one of the principal fears that people might have regarding storing data in the cloud is that it might be hacked. Hacking issues are unlikely to be more prevalent in the cloud than with 'in house' servers connected to the Internet - if someone wants your data, they will of course go after it, wherever it is.

Encryption
One key deterrent to hacking is encryption. Encrypting data in the cloud prevents hackers - and even cloud computing service providers - from stealing your data. Encrypting data means it becomes unusable without the tools to decrypt it, and that means forfeiting usability for security - accessing data can be slow as tools decrypt information to make it readable. While 'encryption' might be the IT department's mantra, any company's emphasis will be how to use data to support business processes. Fortunately, to ensure cloud security leaves data usable, a number of "format-preserving" encryption solutions have emerged. Where traditional solutions changed data into ciphertext of a variety of different lengths, format-preserving encryption keeps the same number of digits, making transformation more immediate.

Although encrypted data might be safe, and can be transformed quickly, it is still difficult to manipulate - how can you alphabetize randomized ciphertext? Again cloud solutions have emerged that allow companies to partially encrypt data, leaving certain non-sensitive fields free of encryption for manipulation purposes.

Tokenization
Tokenization is emerging as a way leading edge companies protect their data. If your data is precious, you should look into it. Tokenization avoids the needs for encryption keys which can be vulnerable, especially in the cloud.

Although encryption keeps data secure, especially for individual data fields, encryption keys can still be exposed. In addition, systems have to be in place to ensure data lengths and data types are compatible to ensure encrypted text becomes readable again. Tokenization differs from encryption is that it replaces data with randomized tokens. A table matches encrypted values with the original values, meaning no formulas are involved, and tokens mimic the length and data type of the original value. The end result is usable data from a business perspective, yet secure data from an IT perspective.

Data Loss Prevention (DLP) Tools
As with any form of data storage, internal threats are as potent as external threats. Data Loss Prevention (or DLP) tools (also called Extrusion Prevention, Data Leak Prevention, and Information Loss Prevention tools) work on a set of rules established by a business. They look at file content and based on the rules a business establishes, tag critical information to stop system users from disclosing it. DLP tools can filter both streams of data on corporate networks and protect data that isn't being used - or "Data at Rest".

Hybrid Cloud Solutions
Apple co-founder Steve Wozniak suggested in 2012 that over reliance on the cloud could result in "horrendous" consequences for users. If that is the case, then the data that is really precious to your organization should remain local. That doesn't mean that the cloud should not be utilized, but company policy should dictate what information can and cannot go into the cloud. With that in mind, a number of Hybrid Cloud Solutions have emerged - solutions that bridge more traditional approaches to hosting with the cloud. Hybrid Cloud Solutions do mean a company maintaining its own IT capability - albeit a scaled down capability - but as some people say, if there is any doubt, there is no doubt, and as a result, perhaps you need to be responsible for the security of your most sensitive data.

Common Sense
The bottom line is not always a financial consideration. The same common sense that you applied to managing your on site data should be applied to the cloud.

In a much publicized event Mat Honan, a writer for Wired Magazine, lost all the data on his laptop in mid-2012. Mr. Honan had "daisy-chained" numerous accounts and hackers were able to access his Google and Twitter accounts. Apple tech support were tricked into giving the hackers access to his AppleID account using a partial credit card number revealed by his Amazon account. They erased data on his iPhone, iPad, and MacBook - none of which he had backed up. Documents, photos and emails from the previous year were lost.

Despite its benefits, the cloud is still using the same security measures utilized by traditional hosting - passwords. To that extent, the same lack of measure that meant Mr. Honan's data was pulled from the cloud would mean your organization's data could be pulled from the cloud. The same security measures your company employed to safeguard data held by your own servers should be employed for data in the cloud, because the cloud is just another tool like your server was.

Everything should be backed up regularly - onto a local server, to a server in another geographical location, to another server in the cloud, and - however old school it might sound - burning DVDs on a daily basis. Passwords should be changed regularly. Two-factor authentication should be used wherever possible. Make sure that security question answers are secure and access limited to the people who need to know that information.

Know Your Provider
Although the cloud might come across as ubiquitous and might be promoted as almost a commodity item, it is merely a network of providers, and not all providers are equal. Do not be enticed by the cloud over readily - do your homework. Use websites like HostSearch.com to find out about cloud hosting providers, read the comments people provide, and get to grips with who are the best - and that means safest - cloud providers.