Posted from my original article in SC Magazine UK http://www.scmagazineuk.com/how-to-thwart-hackers-in-the-cloud/article/285182/
Cloud computing is a familiar term in the enterprise market.
We know it acts as a fantastic tool to help businesses operate more efficiently, yet for security professionals, cloud computing presents potential risks, which is why we all need to be on the same page when it comes to protecting our valuable information.
As we move to a cloud-driven future, businesses are beginning to see security as a major issue. At the moment though, too many cloud adopters are ignorant or feel they needn’t worry about the risks that cloud computing brings.
According to Ernst & Young’s recent research, the 2012 Global Information Security survey, 59 per cent of respondents said that they used or planned to use cloud services. Yet over a third had not taken any measures to mitigate risks.
Cloud computing users are now seeing people gain unauthorised access to their intellectual property, and the quest for access to such worthy assets will only continue. Sophisticated, sustained attacks, known as advanced persistent threats (APTs), against companies are likely to increase in the future.
Worryingly, a successful APT launched against a cloud computing service could seriously damage your IP – and indeed your reputation.
In August last year, hackers broke into the Dropbox online storage service using a list of customer email addresses from an employee’s account. Later that month, a Wired reporter had his Apple iCloud account hacked by an attacker who gained access by socially engineering the company’s tech support service.
While the employees who allowed those breaches to happen were well-meaning but unwitting, there is always the danger of an intentional inside job. If an employee working at a cloud service provider decides to pass off a client’s data to the highest bidder, it could result in an expensive and embarrassing breach involving that client’s own customers.
Be accountable for your information
If you are using the cloud, you must take responsibility for your IP. It’s not acceptable for any cloud user to claim ignorance and blame a breach on its third party provider. Put simply, it won’t stick. The Information Commissioner’s Office (ICO) will come down hard on any negligent cloud adopter, after it recently clarified that a company collecting data from its customers is responsible for that data – regardless of which third party it enlists for help.
Now that information can reside anywhere in a digital cloud, it no longer pays to think of security in terms of physical infrastructure alone. Companies have to think about corporate security in different ways, and this means focusing on the information that you are storing and manipulating.
Mitigate a breach through encryption
One of the best methods to keep your information safe from hackers is encryption. It uses a secret pair of digital codes called keys that are used to encrypt the software. Without these keys, the software cannot be decrypted which means vital information is incoherent to anyone unauthorised to see it – regardless of where it is stored.
Encryption needs to work seamlessly for business users and their customers, so they are able to retrieve their information seamlessly. However, this itself presents an issue on determining who owns the keys.
Protecting your keys
Cloud service providers that do encrypt a client’s information usually store the keys. However, this brings us back to our original predicament. If a hacker or a disgruntled employee steals the keys, they have access to (unencrypted) client information.
It’s therefore important the client retains and manages the encryption keys locally – and Gartner recommends this too. Companies should also ensure that the keys are properly rotated and destroyed to keep them secure over time.
Your information is number one
When using the cloud, treat your company’s information as a first-class citizen. Make it your priority to protect it. Consider regulatory requirements when implementing strategies to protect your information, and ensure you cover your bases with regards to data export and residency restrictions.
Also, consider working with a trusted third party security platform that can protect any kind of cloud application. Security services that can integrate with existing infrastructure and with custom web apps will help to reduce your costs too. This way, you can embrace moving your information and applications to the cloud – without the headache.