Many companies are moving to the “cloud” these days. It’s an amorphous term, indicating using a shared network, usually the Internet, to save costs and increase efficiency. It often makes sense financially. Rather than operating your own data centers or owning servers, why not rent those of a company who specializes in that area and focus on your core business? But, with recent breach of Microsoft 365, used to send infected ransomware emails to a large portion of its user base, does it make sense for you from a security standpoint? There have been many other less publicized breaches and given the increasing popularity of this technology, let’s take a moment to evaluate the “cloud” from a security standpoint.
There are several security challenges for cloud services. First of all, they will generally have a larger exposed attack surface from the Internet than private servers hosted behind a corporate firewall. By its nature, cloud services must be available from a about all of the public Internet. Some cloud Application Servers often sit at the edge of the Internet, with very little blocking unlimited access. DMZing, or walling off your applications, while possible, is more difficult in the cloud than with a private network. With a private network, a separate physical segment can be created with only one firewall interface in or out.
Second, because the services are usually at least partially shared, they will have a large user base and more generic security rules than a service just run for your company. These rules are often “dumbed down” for general use. An example is password self-service where most cloud services allow users to reset their password with a simple click that sends them an email with a reset link. This means if your email gets hacked, it is easy to own every cloud service that you subscribe to. If you are the administrator of an Office365 domain for your company, that can be a huge security breach. Authentication is problematic too. When you control your computing environment, you can count on using physical location as an additional authenticator (not allowing logins remotely). You can also implement more stringent controls such as dual factor authentication for certain sensitive services or areas. Your cloud provider may not give you these options or flexibility on these important elements. Kudos to Amazon Web Services who are offering token based dual factor authentication for their virtual server offerings, but it’s by no means mandatory or universal for its entire service platform yet.
Finally, this latest high profile incident illustrates a further danger to service in the cloud. When viruses sit on cloud servers accessed via a web browser, traditional antivirus and anti-spyware tools don’t help nearly as much. The files and links sit on a remote server that you don’t control and your local protections can’t scan. You must rely on the cloud vendor to provide those services. Many do, but if they are incomplete or not up to date, lapses can happen. Either way, you lose control. The Microsoft incident is just one example.
So, bottom line, can you depend on the security of cloud services? The answer, frustratingly, is that it depends on how you are using it your applications and your specific vendor. First of all, what are you using it for? Just email or entire data center operations? Do you use a public cloud or private cloud? What are the security protections the vendor offers? Don’t take the cloud vendor’s salesperson’s word for it. Talk to the technical staff and get detailed answers. In the end, if you aren’t comfortable with the vendor’s answers, reconsider your cloud strategy or find a vendor who can answer your questions. So, in conclusion, it is possible to be secure in the cloud. Just don’t let your head get stuck in the clouds, ask the right questions and get the answers that satisfy you before deploying.