Cloud security: fact or fiction?

Just how safe is your data when it is in the clouds? Opinions differ widely.

As our cloud survey article showed, data is moving to the clouds at high speeds across all kinds of organizations. But is the data safer than it was when these organizations kept it locked away on their own premises?

Unfortunately, cloud security is a complex — and much-discussed — subject that elicits many divergent views. The complexity arises partly because there are different types of cloud, which can carry different risks: The main ones are:
  • software-as-a-service (SaaS): This includes Salesforce and Netsuite, as well as consumer services such as Facebook
  • infrastructure-as-a-service (IaaS): Microsoft Azure and Amazon Web Services
  • platform-as-a-service (PaaS): Google App Engine and IBM Bluemix.
Just to complicate matters even further, each of these cloud types can be hosted in a private, public or hybrid environment. See our cloud primer for more on the different types of cloud. 

To understand the complexities associated with cloud security, we talked to two experts: Paul Cleary from Horn IT Solutions in Toronto and an anonymous employee from Google. Some of their thoughts are included below.

SHOULD THE CLOUD BE BLAMED?

Concerns about cloud security are not new. Long before cloud computing became popular, payroll services such as ADP offered an equivalent system to their customers. It’s just that cloud computing has now become mainstream and we read about shocking data breaches. It turns out that most of these breaches did not occur in the clouds.  In a quiz in Law Technology Today listed a number of attacks and asked which of them breached cloud systems and which successfully accessed on-premises systems.

  • NSA Snowden leaks
  • JP Morgan Chase breach
  • Home Depot breach
  • Jennifer Lawrence iCloud photos
  • Target breach
  • North Korean SONY attacks
As it turns out, the only attack on that list to hit a cloud system was the Apple iCloud hacking of Jennifer Lawrence’s pictures. And as the Law Technology article points out, “the intruders gained entry through poor user password usage, not through fancy cyber hacking or security issues with iCloud itself. The other attacks were breaches of on-premise corporate systems guarded by IT departments.”

But this doesn’t mean the cloud is fail-safe.  It carries its own risks.

SECURITY RISKS

1. Unlocked data: In the past, an internal IT department (to the extent it was competent) locked down the company’s data. But now it’s easy for employees or departments to move confidential company data to the clouds via platforms such as DropBox, Google Drive and Microsoft OneDrive. Control over access is now in the hands of employees, who could intentionally or unintentionally expose the data to unauthorized access. For example, confidential data should be encrypted but employees could store it in an unencrypted format. As an article in the Toronto Star pointed out, they can also put confidential information at risk of exposure simply by using public Wi-Fi.

2. Failure to follow processes: Some service providers claim to offer cloud security but don’t provide full control, such as intruder detection. Also, if you look at the fine print in the provider’s contract, the customer is still responsible for certain areas — and might not be following the proper procedure. As a recent article by Gartner pointed out, “Through 2020, 95% of cloud security failures will be the customer's fault.” This is no different than when the data resided on the company’s premises. But the risk is greater when the data is in the cloud because the company is more reliant on the service provider.

In the past, companies were reluctant to put their confidential data — their crown jewels — in the clouds. But over the past few years, as cloud computing has become mainstream, they have relaxed somewhat. Still, most small to medium-sized companies realize that they don’t have the expertise to manage their own data security, and that their provider will do a much better job. This is most likely true: cloud providers have had to step up their investment in cloud security because their reputation, and ultimately their business, depends on it.

About the Authors

Michael Burns


Michael Burns, MBA, CPA, CA, is president of 180 Systems (180systems.com), which provides independent consulting services, including business process review, system selection, business case development and project management.

Margaret Craig-Bourdin


Margaret Craig-Bourdin, MA, DEA, DESS, is editor, online edition, at CPA Magazine.

comments powered by Disqus

Highlights

Canada is celebrating its 150th anniversary. We’re celebrating you, Canadian CPAs. Tell us why you’re proud to be a Canadian CPA. Then watch for our big celebration in July.

Gain practical organizational insights and learn from industry experts at this annual event for not-for-profit financial leaders.