Can Your Business Trust the Cloud?

By Leah Heilbrunn
published

(Image credit: phloxii/Shutterstock)

When your company decides to outsource its backup storage to the cloud, it's giving up some control over corporate data--so, which providers can be trusted to keep that data safe? It seems that cloud hacks are de rigueur in this age of access, and therefore mainstream cloud services come with a certain amount of risk. As an IT administrator, in order to protect both your business and yourself it’s important to know what makes cloud backup safe and what cloud backup providers are doing to make sure your business and personal data stay private.

Between levels of encryption, firewalls, virtual private network (VPN), artificial intelligence (AI) and all the rest, the protections in place for cloud backup are dizzying. The devil is in the details when it comes to choosing a cloud backup service. Your choice comes down to technologies and individual needs.

Leading Cloud Providers and Hacking Incidents

The list of cloud backup services is nearly endless. From big to small, shared hosting to private server hosting and mainstream to only-the-cool-kids-know-about-it. However, the big players in the cloud storage game are: Google Cloud Platform (GCP), Amazon Web Services (AWS), Microsoft Azure, IBM Cloud and Dropbox. When deciding between these services, each company’s track record for security is a good place to start. Major security breaches and subsequent responses can provide a baseline for expected cloud backup privacy.

Most cloud hacks target large companies. Of the major cloud providers, two have had noteworthy intrusions in the past two years: Azure and AWS. In 2017, Deloitte’s Azure cloud backup was hacked, leading to the compromise of an estimated 5,000,000 emails. In 2018, a Tesla AWS account was hijacked and used as a means to mine cryptocurrency. The hackers in this mining scheme also accessed a small amount of proprietary information.

Whether or not these past incidences worry you, it's important to look into a cloud backup company's safeguards to determine which best suits your needs. Each major cloud provider publishes a good amount of information the security technologies it has in place. They want you to feel confident about your decision to entrust data to a third party, so GCP (opens in new tab), AWS (opens in new tab), Azure (opens in new tab), IBM Cloud and Dropbox all have pages dedicated to security transparency. They don’t tell you everything, of course, but while paging through these security dossiers, there are a few main points that should influence your choice.

Encryption

Cloud backup services employ many levels of encryption. When comparing cloud security, you will find that providers will at least offer encryption at three base levels: going to the cloud, coming from the cloud and at rest in the cloud.

Data is susceptible to prying eyes while in-transit through the ether. A secure cloud backup will have encryption for data in-transit built into its services. Depending on how savvy you are, you may have opinions on the types of encryption employed. But in any research, you will want to look for each provider’s explanation of how you can trust that your data is secure as you send it to the cloud or download it. The same goes for data at rest, which is the data that resides within cloud servers.

Each provider will have encryption methods so that hackers cannot read your stored data without the proper key. However, when you use cloud backup, the provider holds the key.

If you believe the cloud to be more trustworthy than the companies that keep the cloud, you can obtain an additional level of security by encrypting your data before backing it up. Encryption software such as CertainSafe and AxCrypt enables you to create your own encryption lock to which only you hold the key. With added security on your side, the encryption on their side is a double down on data security. For more in-transit security, look into VPN services available from cloud providers.   

VPN At a Price

Additional trust in the cloud can be created in the form of a VPN. Imagine a VPN as an armored truck, which you contract to protect your data as it goes to your safe (i.e. the cloud). Azure, GCP, AWS and IBM Cloud all offer a VPN as an upgrade for their cloud services.

This option does, however, increase your cost for cloud services. In order to use a provider’s VPN, your company will most likely have to pay a premium based on minutes of VPN connection and/or through purchasing a Virtual Private Cloud account that is isolated from the shared cloud. You can also establish your own VPN, but this not only adds monetary cost but also cost in the form of time needed to manage the VPN.

This does not mean to imply that cloud backup cannot be trusted without additional levels of security on your part. Cloud providers are utilizing numerous methods to assure your data security. Some of the most effective security methods are more dynamic than regular ol' firewalls.

Managing Access

When taking security measures into account, 'firewall’ is a pretty big buzzword for cloud providers. It sounds heavy, resistant and strong. Firewalls are quite necessary for protecting against intrusion from outside actors, but the most effective security measures also account for attacks from within.

From an IT perspective, you should pay attention to identity and access management (IAM). IAM practices are a framework of policies that implement authentication in many forms to assure that only those who need sensitive information can access it. Some IAM practices include multiple levels of password authentication, personal security questions, management of permissions and granting minimal access privilege in order to assure that sensitive data is accessible by only a few necessary personnel.

Depending on the service, creating your own network of multi-step authentications for your business' data can be made simple through your cloud provider’s interface. For example, GCP offers a Cloud Identity portion of their cloud service, which allows you to manage permissions for individuals and groups from a meta level and also more granular resources. AWS has the AWS Management Console, where you can manage permissions at many levels and set up a custom set of multi-factor authentications. These authentications can include hardware, like AWS key fobs and display cards, and time-based one-time password standards.

The Future: Machine Learning

To stay ahead of the curve, let’s look at some future tech that could be rattling around the cloud in your lifetime. You may see AI protecting your data at one point--yes, AI. Or, more directly, machine learning as a form of security monitoring led by computers instead of erring humans.

Any cloud provider has staff watching for abnormal happenings that could lead to security breaches. You would also manage security alerts as the proprietor. AI would do the same job by continuously 'learning' what normal data sets look like in order to spot aberrations faster than a measly humanoid can click on an alert. This may be far off, as researchers doubt current technological ability for AI to take completely over, but it's definitely something many in the industry are contemplating. 

Bottom Line

When it comes down to it, cloud backup is a service, and the cloud giants work for you. So, as in any other business decision, look into what you get out of it. Consider the security staff and support services you have available to you. A provider's expertise and attack mitigation ability will be a necessary baseline for your trust in the cloud and your cloud provider. For the greatest security, purchase your own encryption software, send information to the cloud with VPN and choose a provider that offers services that best suit your needs.

Leah Heilbrunn
Topics
IT Pro
Security
6 Comments Comment from the forums
  • manleysteele
    No.
    Reply
  • Onus
    Short answer: No. Regardless of current laws and agreements, eventually the "right" amount of money will have changed hands, and any data put in the vapor will be made available to advertisers, snoops, muckrakers, and/or other parasites.
    Furthermore, vapor-based backup is all well and good, but vapor-based restore may have time and/or bandwidth constraints, or may be impossible due to a service outage (especially in the event of the very same disaster that necessitated the restore). Yeah, your critical data may be safe (but see 1st point), but that may include safe from you too, at least for some time.
    Reply
  • kep55
    No. A cloud is just a bunch of holes held together with vapor.
    Reply
  • WyomingKnott
    Sigh. I coulda written that article in one word. "No."

    How about "Why your business can't trust the cloud, what you can to do mitigate the risk, and how exposed does this leave you compared to running your own hosted data center?"

    I won't even use the "patient portal" my doctor's computers are urging me to. How convenient! Test results available instantly to anyone who can scrape up a dollar to pay a Russian or Chinese hacker.
    Reply
  • kep55
    Some jerk has co-opted your forum and is using it to spam people.
    http://www.tomshardware.com/community/profile-2790434.htm?utm_medium=email&utm_source=forum_email&utm_campaign=EPR-8809, user yawub.

    Yup, the cloud and internet are really secure.

    Reply
  • valorbluepig
    Wyomingknott, I'm right there with you, and have written about this topic many times. In 2014 I was outsourced because of a company called Emphasys, largely for going against the CIO's love of outsourcing and new wave cloud hysteria (all surveys show both cost more than in-house solutions over time). But when a CIO spends every waking hour trying to conjure artificial up front cost savings so she can grow her bonus and profit sharing structure, it turns out to be a losing and career ending battle for those standing in opposition.

    The first year that cloud services saw large corporate migration there were billions of dollars of corporate data loss (I used to have the Gartner, Bloomberg and MIT tech reports on the topic). Our company was the third largest patent holder in the world, and beyond the successes of our product offerings, we thrived from our IP. My anti-cloud chants and professions of Chinese, Russian and Indian hacking were always met with figurative pat on the head dismissals. The last 6-7 years have proven out my position and the obvious.

    Any promised or even proven security measures are about to be relegated to the dumpster of eternity thanks entirely to FVEY (Five Eyes). These 5 country/nation states have demanded privately accessible back doors to all programs and security protocols under threat of legislative action, punitive financial action, loss of license and "more" (the government's way of saying we can do anything we want).

    In short, as long as programs are written by people, hacking, Russia, China, India and the NSA are involved, no program or security protocols will protect our data, or interactions with and between computers.
    Reply