Blog

Risks and solutions in cloud computing

January 29, 2014 by Robert Siciliano — speaker, IDTheftSecurity.com

A public cloud service can bring up five risks for a business. Following are descriptions of each of these risks and their solutions.

1) Unauthorized access

Cover the three A’s: authentication, authorization and access control. Here are some questions to consider about a cloud service:

How often does it clean up dormant accounts?
What kind of authentication is necessary for a privileged user?
Who can access or even see your data?
Where is it physically stored?
Does your organization share a common namespace with the service (something that greatly increases risks)?
Are private keys shared among tenants if data encryption is used?

Ask your cloud vendor these questions. Get answers.

2) Multiple tenants

There’s always a concern about data inadvertently slipping out to tenants who share the cloud service with you. One little error can expose your data and even set you up for identity theft.

Breaches can include accessing data of other tenants from supposedly new storage space, and peering into other tenants’ IP address and memory space.

3) Virtual exploits

There are four chief kinds of virtual exploit risks: server host only; host to guest; guest to host; and guest to guest. Many cloud customers are in the dark about virtual exploits and are clueless about the vendor’s virtualization tools. Ask the vendor:

What virtualization products do you have running?
What’s the version currently?
Who is patching the virtualization host?
How often?
Who’s able to log into any virtualization host and guest?

4) Questions of ownership

Here’s a surprise: Quite a few cloud vendors state in their contracts that the customer’s data belongs to the vendor, not the customer. Vendors like ownership because they have more legal protection should a mishap occur. They can also use data for other activities that bring in more revenues.

Find out if the contract contains language referring to vendor ownership of data.
Learn what the cloud provider can do with it if, indeed, they have ownership.

5) Fallibility

Even the biggest and best cloud services can be dismantled due to service interruptions, attacks or some miscellaneous issue with the vendor.

Funny, because a cloud provider typically insists it has superior, super-protected data backups in place. Be aware that even when a provider claims a guarantee for data backup, data can indeed get lost — even permanently.

Back up your data!
Require some language in the contract that entitles you to damages should your data become permanently lost.

Cloud services haven’t been around long enough for analysts to have come up with a predictable, clear model of all the possible risks, the likelihood of those risks being realized, the probability of security failures, and how much, if at all, these might negatively affect customers.

And that’s just in general. Figuring this out for a particular vendor is even more vexing. There are many unknowns, but you can at least work on minimizing them.

Obtain a copy of the vendor’s last relevant, successful audit report.
Seek out information from the vendor about prior incidents of tenant data problems.
Ask about the vendor’s policy of reporting data compromises to customers.
Grind out just what the provider’s responsibility really is.

Robert Siciliano is an identity theft expert to AllClear ID, and the author of "99 Things You Wish You Knew Before Your Identity Was Stolen."

Read more about security.