Is the Cloud still safe in 2018?
Cloud Computing has finally become the norm and has stopped topping the new technology trend lists as it has matured and become mainstream now. All types of business are moving towards Public, Private or Hybrid Clouds and Software-As-A-Service (SaaS) is growing so fast, with companies like Salesforce and Workday leading the way, that it is predicted that a third of all global enterprise applications will use SaaS by 2018.
50% of organisations now have a ‘Cloud first’ or ‘Cloud only’ policy (source: North Bridge Cloud Computing Survey) and 90% use the Cloud in some way. By 2019, it is expected that more than 30% of the 100 largest vendors' new software investments will have shifted from Cloud-first to Cloud-only.
Gartner even forecasts that Public Cloud will almost double in 4 years by 2020 and they have notoriously under forecast Cloud adoption in the past. They also believe that overall demand for Cloud as a whole this year will grow 18% and that Public Cloud infrastructure will grow by 36.8%.
Source: Gartner (February 2017)
All types of company depend on the market leading data centres managed by Amazon Web Services (AWS), Microsoft and Google rather than holding all of their data inhouse because of the cost and complexity involved. The iOT and AI worlds have also grown extensively and therefore so has the huge amount of data needing Cloud infrastructure to look after it. Many SaaS companies which previously used their own data centres are now using Public Cloud services and the chart below shows the hold that AWS and Microsoft currently have, although Cloud stats are debatable depending on what you deem as Public Cloud.
There is little debate however about the evidence from a wide variety of sources supporting the fact that Cloud adoption is still growing apace and is around for the foreseeable future.
You may be in one of the organisations still figuring out where Cloud should fit within your IT strategy. It is likely that in trying to cut costs and transform your business that you’ll adopt Cloud in a bigger way soon so you can be more agile, scale quicker, save money and innovate and grow. Building your own energy-hungry data centres is expensive and time-consuming, while managing hundreds of software applications consumes your IT resources at too fast a pace. If you can outsource a lot of your hardware and software to specialist tech companies that can expand or reduce the level of service according to your needs, it can save you a lot of time and money and you’ll also be able to develop new products and services much quicker giving you a competitive edge
Cloud computing is everywhere - but is it safe?
We all seem to be on the Cloud now or seriously thinking about it - but is it as safe as we all think? Are we just quelling those nagging doubts at the back of our minds because Cloud is so popular that it must be alright?
Cloud probably is inherently safe but major breaches certainly do take place. In the last year, we’ve had breaches at Google Drive, LinkedIn and Evernote – all household names. In July, Verizon (the largest US wireless carrier) had 6 million customer accounts exposed due to a misconfigured security setting on a Cloud server due to ‘human error’.
Global Cloud Cyberattacks could cost $53 billion according to Lloyds Insurance (and only 17% are covered by insurance Lloyds kindly points out), but they also admit that risks are very hard to quantify. Skyhigh have collated data from 30 million users and their findings are telling, showing that 18.1% of Cloud based file sharing and collaboration contained sensitive data from a variety of sources - from financial reports, payment information to health, revealed by merely searching the internet. The average enterprise experiences 23.2 Cloud related threats per month – an increase of 18.4% from 2016 and nearly every organisation gets at least one threat per month.
Another issue is that many Cloud services rely on Open Source code and common infrastructure. The potential threat level may vary significantly depending on the size of the coding community and its ability to detect issues. If there is one vulnerability there is a chance that it could hit many providers, such as the Heartbleed bug from 2014, which can still affect providers now due to a vulnerability in the open source OpenSSL protocol that powers secure website communications.
Not all threats are created equal however and the average enterprise experiences 10.9 insider threats per month with 93.5% experiencing at least one per month. Not all of those are malicious and can be unintentional. It is vital that your staff are well trained to understand the tools that they use and the way to handle data. However, the sheer nature of human error ensures that mistakes will happen occasionally and employees often use systems in inadvertently risky ways which companies often overlook, such as sales people who download customer data when they leave. One might presume that the onus is on the Cloud provider but unfortunately it lies with the company and unless you have a series of controls in place you may be totally unaware.
According to Skyhigh, only 1 in 10 of the providers of the 20000 Cloud services in use today follow industry best practice for encrypting data and enterprise grade security controls. Many enterprises (31.3%) even block particular Cloud services as the risk is deemed too high for the benefits given
You might also like to ponder the power of government surveillance where Cloud computing companies have to surrender data to the US government on request. Companies such as Google, Microsoft, Facebook and Apple oppose this but are required to comply by law. In the UK we have the Regulation of Investigatory Powers Act 2000 (RIPA) which ‘requires persons to decrypt information and/or supply keys to government representatives to decrypt information without a court order’.
There may be some sense in sharing the potential risk across different countries for a number of reasons from political, data protection to natural disasters e.g. if one data centre is destroyed in an earthquake or other natural disaster, your data is still safe. How do you feel about holding your data in some strange remote place and being unaware of whose data sits beside it? What if it gets lost, wiped, corrupted or stolen? You can’t always assume that your data is secure – it’s your data and you are still responsible for it. The major Public Cloud providers offer a number of data centres - AWS covers 12 regions globally - storing multiple copies of customer data. Providers are more likely to offer hosting in your own region now however due to the rescinding of the Safe Harbour data sharing agreement and the Edward Snowden leaks.
How do Cloud providers keep your data safe?
Essentially encryption is the main method both while data is moving and sitting in the Cloud servers. The way data is encrypted is also key and many companies ‘shard’ their data into little blocks which are separately encrypted and stored in different locations so any risk is minimised substantially. There are also a number of other methods such as sending links to preview data rather than downloading it or two-factor authentication using one-time codes on device such as fobs or smartphones.
AWS has more than 1800 security controls governing their services and many providers allow customers to control their own encryption keys and set rules for accessing the data or applications so workers at the provider can’t even access it. It is worthy of note to mention here that most breaches come from internal staff but you probably want the peace of mind that the providers staff can’t do this too. It is really important to note that the customers are totally in charge of how the data is protected and the providers just supply the resources. Saying that, Amazon as a retailer happily runs its whole business on AWS.
You must compare the quality of your provider to that of your in-house team and ensure that the provider truly understands your business and its needs. Some Cloud providers specialise in certain areas but you must check that they understand the regulatory requirements for your industry and can give evidence of what they can provide with associated certifications where necessary. The reason so many companies use AWS could simply be that they trust them by reputation more than anything else
Should you go Hybrid?
If safety is your main concern, rather than cost or efficiency, then Private Cloud is certainly the securest option when picking Cloud services. It gives you much greater control but you will certainly find the cost is high for a stronger level of security.
A hybrid option of Public, Private or your own data centre is fast becoming the most popular option certainly with enterprises where 85% have a multi Cloud strategy compared to 82% last year. Hybrid allows you to keep each aspect of your business in the most appropriate Cloud e.g. you could keep your client interaction in Public but the data in Private or even have a SaaS vendor create a Private Cloud within their firewall for you with a VPN (virtual Private network), which is ideal but you’ve got to keep track of all of your Clouds and ensure that they can all communicate well with each other.
It may not be an option for all companies as it can be complex and isn’t a decision to be taken lightly.
So, is it safe for my company to rely on Cloud storage still?
There isn’t anything in this world that seems totally safe unfortunately now but with Cloud storage it is as safe as you want to make it to a certain extent. If you are prepared to pay to store your data in the most complex way possible for your company and have trained your staff on handling data in the best way and run regular checks to ensure best practice prevails it will be safer than most. The onus for safety lies with your company to decide how safe they want to be and to ultimately control that safety.