Looking back, one might wonder how we ever got along without cloud computing. Cloud computing has, and will continue to be, a disruptive technology in how it transforms the way we use the internet.
Along with cloud computing, advances in microprocessor technology are altering our concept of computing. “As microprocessor speeds have increased, so has memory density and speed,” wrote Tom Kulik, an intellectual property & information technology partner at Scheef & Stone, LLP., in his Above the Law article Hey, You, Get Off Of My Cloud: Cybersecurity Considerations For Managed Service Providers.
“With the increase in performance, however, came a decrease in costs relative to performance, creating powerful new architectures leveraged by technology companies (such as cloud computing) to provide easily accessible and highly useful applications to the masses,” said Kulik.
SEE: Shadow IT policy (TechRepublic Premium)
Unfortunately, improved performance, access and capability help cybercriminals as well. Kulik cited a prediction from a 2009 MIT Technology Review article that when security migrated to the cloud, cyberattacks would follow.
“In essence, the same architectures that are fueling the expansion and acceptance of the cloud are also turbocharging technologies used by hackers,” explained Kulik. “From distributed denial of service attacks to sophisticated ransomware, bad actors are definitely leveraging the cloud.”
As to how the cloud is being leveraged, malware–once the purveyor of elite darkside programmers–is now available to anyone who’s willing to pay for it and a delivery platform. This is giving cybersecurity professionals pause. So much so, they are revisiting their in-house cybersecurity practices as well as resources provided by managed service providers.
The “rethink” by those responsible for a company’s cybersecurity is important now more than ever as the numbers have it making sense for companies to move their business platforms to the cloud. “More importantly, your company (or clients) need to not only be aware of this attack vector but be prepared to adapt to this ever-evolving threat landscape,” suggested Kulik. “It’s more than just good technological practice–it is becoming essential to limiting legal liability.”
In addressing liability, Kulik explained how and why failing to address cybersecurity exposes businesses to fines and legal claims in these articles: Location, Location, Location: Why Data Privacy In The Cloud May Never Be The Same and Cybersecurity & IP: Don’t Let Hackers Grab Your Digital Assets.
How to mitigate cloud-related security risks
Kulik offered the following considerations.
Balance efficient operation with security optimization: Integrating third-party infrastructure may be good from a performance perspective, but terrible from a security one, suggested Kulik. “This is even more important when third-party infrastructure is integrated in the platform,” he explained. “Unfortunately, there can be tension between IT, corporate and legal when it comes to implementation.”
He added that it’s essential for those responsible for IT, legal matters and administration to work together to achieve an acceptable balance between performance and business/legal risk.
Network segmentation is a good thing: Kulik argued that network segmentation is vital. He used the Cloud Hopper attack profile as an example. “Proper segmentation of networks would have helped limit privileges and ‘stop the hop’ along that attack vector in its tracks,” Kulik added. “By segmenting sensitive information into other virtual servers and further compartmentalizing it, you will make it far more difficult for hackers to get to that information in the first place.”
Another important consideration is limiting lateral access across platform services, which should reduce data-security liability.
Data encryption is your friend for now: Encrypting data is a no-brainer and incorporating it should be especially considered when using cloud services as it limits data exposure and liability. That said, there are factors that push back at using data encryption:
- Encryption may not always be available for the application or viable from a user performance perspective; and
- convenience and access times are negatively affected.
Kulik believes quantum computing will limit the viability of current encryption mechanisms. He added, regarding using quantum technology, “Raw computing power makes brute force hacking of encryption keys within a reasonable time frame possible.”
Onsite cybersecurity platforms are not faring well against cybercriminals. When cybersecurity experts warn that cloud computing presents even more risks, it might be time to pay attention.
Kulik concluded by saying, “Take the time to consider the foregoing carefully, otherwise the digital umbrella simply won’t cover as much as you think, and what’s worse, your company (or client) will pay for it.”