An Inside look at avoiding cloud risks

by [Published on 3 April 2013 / Last Updated on 3 April 2013]

In this article the author will cover recent events that have exposed millions of users due to lack of planning and contingency.

Introduction

At the speed at which companies and individuals are adopting multiple cloud platforms, the high level of risk is unavoidable. In this article we will cover recent events in the UK and Europe, which have exposed millions of users due to lack of planning and contingency.

Disclaimer:
It is important to point out that I am in no way against cloud technologies, in actual fact I have been involved in building some of the largest platforms for over ten years. This article is more about protecting the organizations data assets and should not be seen in any way as anti-cloud.

There is no point to speed if you can’t control it…

Uncontrollable adoption of a technology has its benefits to the vendor but can leave the organization exposed. A good example of this is when organization’s employees quickly adopt technology like cyber lockers. There are many out there and now these technologies come fully loaded with military grade encryption and sometimes even stronger encryption that may not even be legal in your country.

I advise many organizations on this matter; encryption using publicly generated keys that the company cannot decrypt their own data is a significant risk.

A good idea would be to not allow this practice through the use of technical, administrative controls with a dash of education. Education and clear communication is key, employees need to understand that company data is the companies’ asset and the company dictates how this data is stored, shared and handled. At no point should the individual be able to lock the company out of their data asset.

We know that data is a company asset, especially if it’s produced on a company machine or in company time on other machines, and even if it traverses a company network, depending on the company policy you are likely to find that organizations can lay claim to this data. Moreover native company data is leaking at an alarming rate through these cyber lockers, because users find it easy to share data.

Organizations need to find and enforce multiple controls when dealing with this issue. Firstly establish a strong administrative control that advises users that it is in no way acceptable to leak company data or share it in this way, unless expressly stated in writing that users can share data in this way, using a company preferred cyber locker. In many cases these technologies are available through private clouds…

Secondly, use strong technical controls that monitor data leakage through multiple exit points. Many DLP technologies are available on the market today and although they may not be simple to secure it is strongly recommended that these get implemented to avoid and mitigate against data leakage.

Next: ensure that you are covering the mobile devices sufficiently; it’s a challenge to stop these in this day and age and I have yet to find an organization that has properly been able to ban the use of private devices. There are many controls your organization can adopt to mitigate data loss through the use of personal devices. Building and communicating a clear mobile policy and applying technologies to look after company data is a must if you want to protect and authorize access to your data asset.

Finally label all company data so that it is clear that the data belongs to the company. There are so many people out there sharing data and they find it so easy that if all your technical and administrative controls fail, at very least if it’s found out and the data is correctly labeled with company confidential there is no excuse. Labeling also can help track and protect data as some organizations have different levels of labeling, this means that they can apply controls to data that has sensitivity rather than applying controls to all data.

Just because its cloud doesn’t mean you don’t need contingency

Recent events in the UK and in Europe have shown that even by hosting with the largest cloud providers disaster can strike leaving subscribers that are without a contingency plan dead in the water.

This is a lesson like any other that has to be learnt the hard way, it applies to any subscriber of any cloud platform, including your own private cloud, be it on-premise but remotely managed, hybrid cloud or fully hosted and managed in the cloud. It is evident that out of 3000 plus customers only a handful had reasonable and workable contingency plans in place. To spare you the details I will focus on how to rectify the problems rather than what has happened.

Making sure your DR/BCP is up to date and workable

No matter how much your provider tells you that everything is going to be OK there are multiple resilience strategies the highest up time and trained staff all sorts of threat vectors can initiate to bring you down.

Without availability, one of the three pillars of security you have no security. It is virtually impossible to guarantee connection over the Internet (the public network). Although the reliability of the Internet is always improving there are too many factors that can risk your business. Private cloud can address majority of these threat vectors. This can be mitigated by contractual SLA’s. I use public cloud services personally, some are great but many have a long way to go.

Even an SLA can let you down due to unforeseen circumstances. More recently a group of companies in Europe that provided cloud services to about 3000 customers with total impact of over a million users interlinked with the largest IT vendors in the world vaporized in exactly six weeks.

No one thought it would happen to them

Customers with critical infrastructure that had gone to this cluster of services at a particular provider to guarantee a high level of service, more stability and disaster recovery, did not have a contingency plan, for such a large provider to liquidate. The end result was that the customers lost all of their data, hosted infrastructure and access.

What you should be doing?

I’m not surprised that these customers did not have a contingency plan because of all the promises providers tell customers. The only way to ensure that this does not happen to your organization is to test and evolve your contingency plans and verify that you can decouple from the cloud provider and move to an alternate provider if your primary provider were to default in any way.

People have a false sense of security because the provider is larger than life, but the fact still remains that no matter how small or large the provider it could disappear in just over a month. The bone chilling facts are that out of 500 of the top European companies that had all gone through extensive due diligence every single one of them overlooked the possibility that a billion dollar company would close in six weeks.

How to share your eggs amongst multiple baskets

The analogy I always use with all of my customers is how many people thought that two planes would strike two towers right next to each other. What are the odds, about the same odds as a billion dollar company closing in six weeks? What you could do, to alleviate this issue, is something that will require dedication, creative design and costs a little more money than you have already invested with your provider. Not only will this keep you in a job in times of cloud but it will also massively “derisk“ these eventualities

  • Contract ensuring you can move all your data across to an alternate provider.
  • Ensure you have your own backup of the data and that you can recover the data in an alternate environment.
  • Always know that if the service traverses a public network there is an element of risk, no matter how great you might think the solution is, the risk is there.
  • Test the solution before jumping in with both feet.
  • Know that adopting consumer solutions for corporate use has consumer related issues that may not be acceptable to a corporate.
  • Communicate your policies to your employees effectively, so that they know what is allowed and what is not. Most people have no idea that sharing company data is a problem.
  • The more active you are in this area the better your company will be protected.

Conclusion

The cloud has changed the way we work and the way we interact with each other. With just a couple of clicks we can share data with colleagues or signup to a service that allows access to our work environments. Protecting your data asset is even more important now than ever before so it’s time to take the appropriate action.

The Author — Ricky M. Magalhaes

Ricky M. Magalhaes avatar

Ricky M Magalhaes is an International Information Security architect, working with a myriad of high profile organizations. Ricky has over 16 years of experience in the security arena covering all ten domains including best practice and compliance. Ricky is a strategist on security and innovating creative ways to achieve compliance and mitigate risk, to many blue chip entities and forms part of the advisory boards to many organisations worldwide.

Latest Contributions

Advertisement

Featured Links