Back to news & views

Beware the thundercloud!

Cloud Computing has been gaining prominence in the IT world for a number of years, particularly because it offers companies flexibility and easier scalability, but just how secure is it?

To help us better understand the security threats, Cloud Computing can be categorised as follows:

  • Software-as-a-Service (SaaS)
  • Platform-as-a-Service (PaaS)
  • Infrastructure-as-a-Service (IaaS)

Depending on the service model adopted, the responsibility for creating a secure and accessible environment swings from the cloud provider to the end subscriber.

A few of the many cyber security threats both parties would need to consider and address are:

  • Insecure software interfaces / application programming interfaces (APIs)
  • Inadequate user authentication, access and auditing controls
  • Inadequate data segregation and / or encryption
  • Insecure data transfer across the internet between the end user and cloud provider
  • Incorrect configuration, management and use of the shared underlying technology

Cyber security threats within a cloud environment are best tackled by adopting the appropriate industry best practices. The Cloud Security Alliance, a not-for-profit organisation set up to help promote these, offers a useful collection of initiatives. For example, their Cloud Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire (CAIQ) both help assess the existing security risk of a cloud capability, as well as identify which security principles should be adopted or strengthened going forward.

The many positives of Cloud Computing are well documented and the various models have been adopted the world over. However getting cloud security wrong can land you in the news and potentially cause massive brand damage. Examples from 2011 include Epsilon’s permission-based email marketing service and Amazon’s EC2 web service.

If you plan to adopt a cloud computing model, or if you already do so, have you identified and more importantly addressed the associated cyber security risks and contingency plans?